NAVAL 

POSTGRADUATE 

SCHOOL 

MONTEREY,  CALIEORNIA 


THESIS 


DESIGN  AND  ANALYSIS  OF  A  MODEL 
RECONFIGURABLE  CYBER-EXERCISE  LABORATORY 
(RCEL)  FOR  INFORMATION  ASSURANCE  EDUCATION 

by 

R.  James  Guild 
March  2004 


Thesis  Advisor:  Cynthia  E.  Irvine 

Co-Advisor:  J.D.  Fulp 


Approved  for  public  release;  distribution  is  unlimited. 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


REPORT  DOCUMENTATION  PAGE 


Form  Approved  OMB  No.  0704-0188 
Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the 
time  for  reviewing  instruction,  searching  existing  data  sources,  gathering  and  maintaining  the  data  needed,  and 
completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other 
aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington  headquarters 
Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204, 
Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704- 

0188)  Washington  DC  20503.  _ _ 

1.  AGENCY  USE  ONLY  (Leave  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 
blank)  March  2004  Master’s  Thesis 

4.  TITLE  AND  SUBTITLE: 

Design  and  Analysis  of  a  Model  Reconfigurable  Cyber-Exercise 

Laboratory  (RCEL)  for  Information  Assurance  Education _ 

6.  AUTHOR(S)  Mr.  R.  James  Guild 


11.  SUPPLEMENTARY  NOTES  This  material  is  based  upon  work  supported  by  the  National  Science  Foundation 
under  Grant  No.  DUE-0210762.  NSF  support  also  must  be  orally  acknowledged  during  all  news  media  interviews, 
including  popular  media  such  as  radio,  television  and  news  magazines.  Except  for  articles  or  papers  published  in 
scientific,  technical  or  professional  journals,  the  following  disclaimer  must  be  included:  The  views  expressed  in  this 
thesis  are  those  of  the  author  and  do  not  reflect  the  official  policy  or  position  of  the  Department  of  Defense  or  the 
U.S.  Government.  Any  opinions,  findings,  and  conclusions  or  recommendations  expressed  in  this  material  are  those 
of  the  author(s)  and  do  not  necessarily  reflect  the  views  of  the  National  Science  Foundation. _ 


13.  ABSTRACT  (maximum  200  words) 

This  thesis  addresses  the  need  to  create  a  flexible  laboratory  environment  for  teaching  network  security. 
For  educators  to  fully  realize  the  benefit  of  such  a  facility  proto-type  exercise  scenarios  are  also  needed.  The  paper 
is  based  on  a  model  laboratory  created  at  the  Naval  Postgraduate  School.  The  initial  configuration  of  the  NPS  lab 
is  described.  The  work  then  develops  a  list  of  learning  objectives  achievable  in  the  RCEL.  Six  proto-type  cyber¬ 
exercise  scenarios  are  presented  to  supplement  the  RCEL  description.  The  activities  of  each  potential  scenario  are 
described.  Learning  objectives  met  during  each  scenario  are  shown.  This  thesis  work  demonstrates  how  a  variety  of 
potential  RCEL  exercises  can  supplement  traditional  information  assurance  education  delivery  techniques. _ 


16.  PRICE  CODE 


NSN  7540-01-280-5500  Standard  Form  298  (Rev.  2-89) 

Prescribed  by  ANSI  Std.  239-18 


20.  LIMITATION  OE 
ABSTRACT 

UL 


15.  NUMBER  OF  PAGES 

109 


14.  SUBJECT  TERMS  Computer  Science  Education,  Information  Security,  Cyber-Exercise, 
computer  security  training,  information  assurance  training,  computer  laboratory 


18.  SECURITY 
CLASSIFICATION  OF  THIS 
PAGE 

Unclassified 


19.  SECURITY 
CLASSIFICATION  OF 
ABSTRACT 

Unclassified 


17.  SECURITY 
CLASSIFICATION  OF 
REPORT 

Unclassified 


12b.  DISTRIBUTION  CODE 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 
Approved  for  publie  release;  distribution  is  unlimited. 


7.  PERFORMING  AGENCY  NAME(S)  AND  ADDRESS(ES) 
Naval  Postgraduate  Sehool 

_^^ontereyj^^_93943^5000^^^^^^_^^^^^^_ 
9.  SPONSORING  /MONITORING  AGENCY  NAME(S)  AND 
ADDRESS(ES) 

N/A 


5.  FUNDING  NUMBERS 


8.  PERFORMING  AGENCY  REPORT 
NUMBER 


10.  SPONSORING/MONITORING 
AGENCY  REPORT  NUMBER 


1 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


11 


Approved  for  public  release;  distribution  is  unlimited. 


DESIGN  AND  ANALYSIS  OF  A  MODEL  RECONFIGURABLE  CYBER¬ 
EXERCISE  LABORATORY  (RCEL)  FOR  INFORMATION  ASSURANCE 

EDUCATION 


R.  James  Guild 

Civilian,  Federal  Cyber  Serviee  Corps,  Naval  Postgraduate  Setiool 
B.S.  California  Lutheran  University,  1986 
MMIS  West  Coast  University,  1988 


Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 


MASTER  OF  SCIENCE  IN  COMPUTER  SCIENCE 


from  the 


NAVAL  POSTGRADUATE  SCHOOL 
March  2004 


Author:  R.  James  Guild 


Approved  by:  Dr.  Cynthia  E.  Irvine 

Thesis  Co-Advisor 


J.D.  Fulp 

Thesis  Co-Advisor 


Dr.  Peter  Denning 

Chairman,  Department  of  Computer  Seience 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


IV 


ABSTRACT 


This  thesis  addresses  the  need  to  ereate  a  flexible  laboratory  environment  for 
teaehing  network  seeurity.  For  edueators  to  fully  realize  the  benefit  of  sueh  a  faeility, 
proto-type  exereise  seenarios  are  also  needed.  The  paper  is  based  on  a  model  laboratory 
ereated  at  the  Naval  Postgraduate  School.  The  initial  configuration  of  the  NPS  lab  is 
described.  The  work  then  develops  a  list  of  learning  objectives  achievable  in  the  RCEL. 
Six  proto-type  cyber-exercise  scenarios  are  presented  to  supplement  the  RCEL 
description.  The  activities  within  each  potential  scenario  are  described.  The  learning 
objectives  met  during  each  scenario  are  shown.  This  work  demonstrates  how  a  variety  of 
potential  RCEL  exercises  can  supplement  traditional  information  assurance  education 
delivery  techniques. 


V 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


VI 


TABLE  OF  CONTENTS 


I.  INTRODUCTION . 1 

A,  PURPOSE  OF  STUDY . 1 

B,  SCOPE  OF  THIS  WORK . 1 

1,  Research  Questions . 1 

2.  Research  Objectives . 2 

II,  THE  NAVAL  POSTGRADUATE  SCHOOL  RECONFIGURABLE  CYBER¬ 
EXERCISE  LABORATORY . 3 

A,  JUSTIFICATION  FOR  THE  CREATION  OF  A 

RECONFIGURABLE  CYBER-EXERCISE  LABORATORY  TO 
SUPPLEMENT  TRADITIONAL  INSTRUCTION . 3 

B.  NPS  RCEL  OVERVIEW . 5 

1.  Requirement  for  VPN . 6 

C.  NAVAL  POSTGRADUATE  SCHOOL  RECONFIGURABLE 

CYBER-EXERCISE  LABORATORY  NETWORK  DESIGN . 9 

D,  STATIONS  WITHIN  THE  RECONFIGURABLE  CYBER¬ 
EXERCISE  LABORATORY . 11 

HI.  SURVEY  OF  INFORMATION  ASSURANCE  TOPICS  IN  THE  NAVAL 

POSTGRADUATE  SCHOOL  lA  CURRICULUM . 19 

A,  MODEL  lA  COURSES  AND  POSSIBLE  RCEL  APPLICATION . 21 

1,  CS-3600  (4,  2)  Information  Assurance:  Introduction  to 

Computer  Security . 21 

2,  CS-3670  (3,  2)  Information  Assurance:  Secure  Management  of 

Systems . 22 

3,  CS-3675  (3,  2)  Network  Vulnerahility  Assessment . 22 

4,  CS-3690  (4,  2)  Network  Security . 23 

5,  CS-4600  (3,  2)  Secure  Computer  Systems . 23 

6,  CS-4603  (3, 1)  Database  Security . 23 

7,  CS-4614  (3, 1)  Advanced  Topics  in  Computer  Security . 24 

8,  CS-4677  (3,  2)  Computer  Forensics . 24 

9,  CS-4680  &  4685  (3,  0)  (0,  2)  Introduction  to  Certification  and 

Accreditation  and  System  Certification  Case  Studies . 24 

IV.  COMPUTER  SECURITY  LEARNING  OBJECTIVES  ADDRESSABLE  IN 

THE  RCEL . 27 

A,  ACADEMIC  AND  INDUSTRIAL  STANDARDS  FOR 

INFORMATION  ASSURANCE . 27 

B,  LEARNING  ACTIVITIES  SUPPORTED  IN  THE 

RECONFIGURABLE  CYBER-EXERCISE  LABORATORY . 29 

C,  SPECIFIC  LEARNING  OBJECTIVES  RELATED  TO  THE 

RECONFIGURABLE  CYBER-EXERCISE  LABORATORY . 31 

1.  Computer  Laboratory  Skills . 33 

2.  Networks . 34 

vii 


3,  Security . 36 

4,  Analysis . 37 

5,  Leadership . 37 

V.  EXAMPLE  CYBER-EXERCISE  SCENARIOS . 41 

A,  SCENARIO  I  -  LOCAL  ONLY . 42 

1.  The  Design . 42 

2,  RCEL  Activities  for  Scenario  1 . 46 

B,  SCENARIO  II  -  LIMITED  INTERACTION  DEFENSE  ONLY . 49 

1,  The  Design . 49 

2,  Network  Design  Elements . 52 

3,  RCEL  Activities  for  Scenario  II . 55 

C,  SCENARIO  III  -  LIMITED  INTERACTION  ATTACK  ONLY . 58 

1.  The  Design . 58 

2,  RCEL  Activities  for  Scenario  III . 62 

D,  SCENARIO  IV  -  JOINT  TEACHING  EXERCISE . 64 

1.  The  Design . 64 

2,  RCEL  Activities  for  Scenario  IV . 66 

E,  SCENARIO  V  -  EXTERNAL  NETWORK  VULNERABILITY 

ASSESSMENT . 69 

1.  The  Design . 69 

2.  RCEL  Activities  for  Scenario  V . 72 

F,  SCENARIO  VI  -  AGRESSIVE  CYBER  EXERCISE . 76 

1.  The  Design . 76 

2.  RCEL  Activities  for  Scenario  VI . 78 

VI.  CONCLUSIONS . 83 

APPENDIX  -  ACRONYM  DEFINITIONS . 85 

LIST  OF  REFERENCES . 87 

INITIAL  DISTRIBUTION  LIST . 93 


viii 


LIST  OF  FIGURES 


Figure  1.  Edgar  Dale’s  Cone  of  learning  [DALOl] . 5 

Figure  2.  RCEL  Concept  Diagram . 6 

Figure  3,  Example  Security  Training  Exercise . 7 

Figure  4,  NFS  RCEL  Stations . 8 

Figure  5.  NFS  RCEL  Topology . 10 

Figure  6,  The  DoD  vs.  Commercial  Life  Cycle . 29 

Figure  7.  Learning  Continuum(from  NIST  SF800-16  Appendix  A) . 32 

Figure  8,  Scenario  I  Configuration . 43 

Figure  9,  VLAN  conceptual  diagram  from  the  Cisco  Online  Documentation 

(CDROM)[CIS01] . 44 

Figure  10,  Scenario  II  -  Defense  Only . 51 

Figure  11,  Ethereal  Capture . 55 

Figure  12,  Scenario  III  -  Attack  Configuration . 59 

Figure  13,  Nmap  Scan  Results . 60 

Figure  14,  HSRF  network  configuration[CIS05],  from 

http://www,cisco,com/univercd/cc/td/doc/cisintwk/ics/cs009,htm . 66 

Figure  15,  Scenario  V  -  Vulnerahility  Assessment . 71 

Figure  16,  Typical  Network  Design  with  Ferimeter  Security  [LAROl] . 77 


IX 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


X 


LIST  OF  TABLES 


Table  1.  The  7  Top  Management  Errors  that  Lead  to  Computer  Security 

Vulnerabilities  (As  determined  by  the  1,850  computer  security  experts  and 
managers  meeting  at  the  SANS99  and  Federal  Computer  Security 

Conferences  held  in  Baltimore  May  7-14, 1999) . 3 

Table  2.  Top  10  Mistakes  IT  Professionals  Make  Regarding  Security . 4 

Table  3.  Naval  Postgraduate  School  Information  Security  Course  Matrix  for 

SFS  Students . 19 

Table  4,  Listing  of  The  Naval  Postgraduate  School  lA  Courses . 33 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


ACKNOWLEDGMENTS 


The  preparation  of  this  thesis  was  aided  by  the  help  and  guidance  of  Mr.  Scott 
Cote,  Capt.  Francis  Afinidad,  and  Mr.  Paul  Pappas  of  Gambit  Communications  aided  the 
preparation  of  this  thesis.  I  especially  wish  to  thank  my  loving  wife  Jennifer,  who  joined 
me  as  a  student  in  this  adventure  at  NPS,  for  her  love  and  patient  support.  I  would  also 
like  to  acknowledge  my  thesis  advisors  Mr.  Fulp  and  Dr.  Irvine. 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


XIV 


I.  INTRODUCTION 


A,  PURPOSE  OF  STUDY 

The  intent  of  this  thesis  is  twofold;  first,  to  demonstrate  how  a  Reconfigurable 
Cyber  Exercise  Laboratory  (RCEL)  can  be  designed  and  used  in  support  of  an 
information  assurance  education  program.  Second,  to  design  six  cyber  exercise  scenarios 
that  can  be  used  as  models  for  other  information  assurance  programs. 

Within  this  thesis,  the  author  will  describe  the  RCEL  implemented  at  NPS,  the 
stations  and  the  services  implemented  in  that  facility.  Next,  the  paper  will  develop 
learning  objectives  achieved  through  activities  in  the  RCEL.  The  learning  objectives  will 
then  be  related  to  courses  in  an  information  assurance  program.  The  information 
assurance  curriculum  of  the  Naval  Postgraduate  School  will  be  used  as  a  foundation  for 
this  analysis. 

With  the  educational  foundation  in  place,  six  practical  cyber  exercise  scenarios 
will  be  described.  Each  exercise  scenario  presents  a  different  use  for  the  RCEL  and 
associates  the  exercise  with  learning  objectives,  classes  and  supporting  documents 
referenced  in  this  work. 

B,  SCOPE  OF  THIS  WORK 

1,  Research  Questions 

The  research  questions  to  be  addressed  by  this  thesis  will  focus  on  solving  the 
complex  issues  related  to  establishing  a  supportive,  realistic  laboratory  environment  in 
which  information  assurance  topics  can  be  safely  explored.  When  building  a  RCEL  to 
provide  enhanced  teaching  and  learning  opportunities  within  an  information  assurance 
curriculum,  the  following  questions  must  be  addressed: 

1.  What  interaction  opportunities  exist  between  a  RCEL  and  concurrently 
presented  information  assurance  courses? 

2.  What  equipment  is  needed  (minimum  and  optimal)  in  this  facility? 

3.  What  services  or  stations  should  be  available  in  the  RCEL? 
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4.  What  are  the  optimal  seeurity  proeedures  and  polieies  for  eaeh  service, 
OS,  and  device  in  the  RCEL? 

5.  How  can  a  RCEL  organization  achieve  safe  interaction  with  external 
RCELs  in  both  attack  and  defense  postures? 

6.  What  security  concepts  and  practices  can  be  effectively  presented  in  the 
RCEL? 

7.  What  exercise  scenarios  demonstrate  effective  use  of  the  RCEL? 

2.  Research  Objectives 

This  thesis  will  present  the  following: 

1.  To  identify  existing  academic  standards,  (if  any),  directly  related  to 
computer  security  education. 

2.  To  propose  a  flexible  topology  that  models  a  general-purpose  network 
that  is  rapidly  reconfigurable  and  supports  the  study  of  lA  topics. 

3.  The  thesis  will  develop  a  list  of  learning  objectives  and  their  mapping  to 
the  prototype  exercise  scenarios. 

4.  To  define  six  proto-type  cyber-exercise  scenarios  that  provide  effective 
models  for  security  exercises. 

5.  The  thesis  will  present  relevant  information  needed  to  conduct  post¬ 
exercise  analysis  of  the  exercise  data. 
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II.  THE  NAVAL  POSTGRADUATE  SCHOOL 
RECONFIGURABLE  CYBER-EXERCISE  LABORATORY 


A,  JUSTIFICATION  FOR  THE  CREATION  OF  A  RECONFIGURABLE 
CYBER-EXERCISE  LABORATORY  TO  SUPPLEMENT  TRADITIONAL 
INSTRUCTION 

Tables  1  and  2  are  from  the  SANS  (SysAdmin,  Audit,  Network,  Security) 
Institute  web  site  (http;//www.sans.org/resources/errors.php#top).  Table  1  emphasizes 
the  need  for  good  information  assurance  (lA)  and  cyber-security  education.  Note,  that  of 
the  seven  management  errors  listed,  all  can  be  mitigated  through  information  assurance 
education. 

Table  1,  The  7  Top  Management  Errors  that  Lead  to  Computer  Security 
Vulnerabilities  (As  determined  by  the  1,850  computer  security  experts  and 
managers  meeting  at  the  SANS99  and  Federal  Computer  Security  Conferences  held 

in  Baltimore  May  7-14, 1999) 


Number  Seven: 

Pretend  the  problem  will  go  away  if  they  ignore  it. 

Number  Six: 

Authorize  reactive,  short-term  fixes  so  problems  re-emerge  rapidly 

Number  Five: 

Fail  to  realize  how  much  money  their  information  and  organizational 
reputations  are  worth. 

Number  Four: 

Rely  primarily  on  a  firewall. 

Number  Three: 

Fail  to  deal  with  the  operational  aspects  of  security:  make  a  few  fixes  and 
then  not  allow  the  follow  through  necessary  to  ensure  the  problems  stay 
fixed 

Number  Two: 

Fail  to  understand  the  relationship  of  information  security  to  the  business 
problem  —  they  understand  physical  security  but  do  not  see  the 
consequences  of  poor  information  security. 

Number  One: 

Assign  untrained  people  to  maintain  security  and  provide  neither  the 
training  nor  the  time  to  make  it  possible  to  do  the  job. 

Before  expounding  on  the  specific  learning  objectives  addressable  in  the 
reconfigurable  cyber-exercise  laboratory  (RCEL),  it  is  essential  to  understand  what  kind 
of  issues  lA  practitioners  should  be  aware  of  Again,  referring  to  research  conducted  at 
the  SANS  Institute,  we  see  in  Table  2  that  the  most  egregious  security  problems  are 
spawned  by  the  IT  staff. 
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Table  2.  Top  10  Mistakes  IT  Professionals  Make  Regarding  Security 


Number  1 

Connecting  systems  to  the  Internet  before  hardening  them. 

Number  2 

Connecting  test  systems  to  the  Internet  with  default  accounts/passwords 

Number  3 

Tailing  to  update  systems  when  security  holes  are  found. 

Number  4 

Using  telnet  and  other  unencrypted  protocols  for  managing  systems, 
routers,  firewalls,  and  PKI. 

Number  5 

Giving  users  passwords  over  the  phone  or  changing  user  passwords  in 
response  to  telephone  or  personal  requests  when  the  requester  is  not 
authenticated. 

Number  6 

Tailing  to  maintain  and  test  backups. 

Number  7 

Running  unnecessary  services,  especially  ftpd,  telnetd,  finger,  rpc,  mail, 
rservices 

Number  8 

Implementing  firewalls  with  rules  that  don't  stop  malicious  or  dangerous 
traffic-incoming  or  outgoing. 

Number  9 

Tailing  to  implement  or  update  virus  detection  software 

Number  10 

Tailing  to  educate  users  on  what  to  look  for  and  what  to  do  when  they 
see  a  potential  security  problem. 

Number  11 
(Bonus  cause) 

Allowing  untrained,  uncertified  people  to  take  responsibility  for 
securing  important  systems. 

The  reconfigurable  cyber-exercise  laboratory(RCEL)  used  in  an  academic 
program  addresses  the  issues  raised  by  the  SANS  Institute  and  provides  an  opportunity 
for  students  to  learn  effective  lA  practices  in  a  safe  environment.  The  RCEL,  however, 
goes  far  beyond  just  hands-on  training.  It  empowers  the  instructor  or  professor  to  follow 
the  three  critical  steps  of  learning:  show,  demonstrate,  and  do  [EEEOl]. 

In  an  ERIC  Digest  (Educational  Resource  Information  Clearinghouse,  now 
defunct)  published  in  1997,  Travis,  stated  regarding  models  for  improving  college 
teaching: 

As  learning  becomes  more  complex,  students  frequently  depend 
upon  faculty  to  assist  them  with  a  multitude  of  obstacles.  Yet,  given  the 
typical  preparation  college  faculty  receive  for  teaching  (ed.  little  or  none), 
the  tendency  to  concentrate  on  presentational  methods,  like  the  lecture, 
can  aggravate  students'  difficulties  with  learning.  Consequently, 
instructors  are  encouraged  to  stop  viewing  teaching  as  “covering  the 
content”  and  to  start  viewing  it  as  "helping  the  students  learn"  [WEIOl] 

Teaching  and  learning  information  assurance  is  challenging.  Often  traditional 
teaching  methods  are  not  adequate  or  comprehensive.  Eor  some  students,  gaining  a 
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through  understanding  of  lA  is  not  fully  achievable  in  a  classroom.  A  student’s  learning 
experience  is  enhanced  when  they  have  configured  a  router,  perpetrated  or  been  the 
victim  of  an  attack  and  “experienced”  security.  The  RCEL  provides  that  hands-on 
experience  to  supplement  traditional  presentation.  In  Figure  1,  learners  who  supplement 
traditional  educational  with  hands-on  activities  remember  90%  of  the  lesson  compared  to 
only  20%  from  a  traditional  lecture  [DALOl]. 


Edgar  Da  t Mttiixls  Ht  T^sc/Htg  ^id6di;i.HollRli«tart3idUUIisbi(t  969). 


Figure  1,  Edgar  Dale’s  Cone  of  learning  [DALOl] 


B.  NFS  RCEL  OVERVIEW 

A  RCEL  is  a  computer  laboratory  facility  which  can  be  rapidly  changed  to 
accommodate  various  activities.  Traditional  computer  laboratories  tend  to  be  static  in 
configuration  and  difficult  to  change.  The  RCEL  is  a  flexible  collection  of  equipment 
that  can  be  quickly  interconnected  and  configured.  Organizations  can  develop 
configurations  for  each  piece  of  equipment  or  functionality.  These  configurations  can  be 
stored  and  when  needed  deployed  quickly  using  like  Symantec  Ghost. 

Unlike  a  traditional  computer  lab  that  must  support  many  students  performing  a 
wide  variety  of  activities,  the  RCEL  need  not  have  any  specific  configuration.  The  type 
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and  scope  of  activities  to  be  conducted  determines  the  design,  layout,  and  interconnection 
requirements.  The  RCEL  need  only  have  sufficient  equipment  to  provide  a  meaningful 
network  environment. 

Figure  2  shows  a  minimal  RCEL  exercise  configuration.  Each  LAN  (Local  Area 
Network)  is  achievable  with  as  little  as  a  router  and  a  computer.  In  Figure  2,  the  VPN 
(Virtual  Private  Network)  gateway  is  any  VPNcapable  device  i.e.,  a  router,  computer,  or 
dedicated  appliance.  The  LAN  on  either  side  can  be  any  combination  of  network- 
attachable  devices.  The  size  and  complexity  of  the  LAN  is  based  on  the  needs  and 
resources  of  the  organization.  The  attacker  and  defender  LANs  need  not  have  matching 
configurations. 

Reconfigurable  Cyber-Exercise  Laboratory 

Overview 


Internet 


-O- 

VPN  Gateway 


RCEL  Concept  Diagram 


1,  Requirement  for  VPN 

A  critical  design  requirement  is  the  isolation  of  exercise  traffic  from  any  public 
networks.  Figure  2  shows  the  fundamental  structure  of  an  attack/defend  exercise.  VPN 
Gateways  isolate  each  LAN  from  the  public  Internet.  Note,  the  “Internet”  cloud  is  any 
ISO  layer  1  and  2  configuration  for  passing  IP  traffic.  The  only  functional  requirement 
on  this  “internet”  is  that  it  must  provide  functional  connectivity  between  the  VPN 
gateways.  The  secure  configuration  of  the  VPN  Gateways  is  critical  when  the  RCEL  is 
connected  to  another  organization  via  the  real  Internet.  The  VPN  is  discussed  in  detail  in 
Chapter  VI. 
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If  the  attacker  and  defender  are  within  the  same  organization  and  their  respective 
networks  are  air-gapped  from  any  other  network,  the  VPN  is  unnecessary.  However,  the 
RCEL  described  in  this  work  assumes  the  attacker  and  defender  are  sufficiently  remote  to 
necessitate  internetworking  across  some  portions  of  the  public  infrastructure. 


Example  CSL  Exercise 


Defender  #2 
IP=10.1.4.x 


Figure  3,  Example  Security  Training  Exercise 

Figure  3,  shows  how  four  organizations  might  interact  and  interconnect  for  a 
cyber  exercise.  When  the  VPNs  are  in  place  and  working  correctly,  there  is  no  danger  of 
spillover  onto  networks  or  devices  traversed  between  locations. 

The  Attacker  LAN  may  use  any  means  (agreed  upon  by  the  interacting 
organizations)  to  breach  the  systems  of  the  Defender  LAN.  This  includes  any  form  of 
malware  as  well  as  more  interactive  exploits.  The  activity  of  the  Attacker  is 
cryptographically  constrained  within  the  VPN  tunnel  and  therefore  is  allowed  to  pass 
across  public  networks  to  reach  the  Defender. 

The  Defender/ Attacker  LAN  consists  of  various  interconnected  computers.  The 
RCEL  configured  at  the  Naval  Postgraduate  School  (NPS)  was  interconnected  via  Cat-5 
[NAT  17]  cabling  in  a  10/100  Base-T  Ethernet  configuration. 
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An  air-gapped  lab  was  chosen  for  the  RCEL,  but  one  in  which  access  to  the 
campus  LAN  was  possible  (though  carefully  controlled).  The  NFS  RCEL  maintains  at 
least  one  computer  that  is  not  part  of  the  scenario  lab,  but  is  connected  to  the  campus 
LAN,  that  is  made  available  for  research  and  communication,  mostly  e-mail.  This 
dedicated  machine  has  proven  very  useful  in  downloading  patches  and  software  tools  to 
strengthen  the  network,  as  well  as  documents  for  help  and  guidance.  (Lor  a  more  detailed 
description  of  this  access  station,  see  Station  Description  23  below.) 
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Figure  4,  NFS  RCEL  Stations 

Ligure  4  shows  the  physical  layout  for  the  Naval  Postgraduate  SchooFs  RCEL. 
The  Naval  Postgraduate  School  has  set  up  the  RCEL  with  as  few  as  three  people,  each 
assigned  to  several  stations.  The  design  allows  18-24  students  to  participate  comfortably. 
Each  seat  represents  a  specific  network  function  such  as  IDS  or  Firewall,  which  can  be 
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assigned  to  an  individual  or  team.  Eaeh  location  has  a  monitor  which  may  be  connected 
to  any  of  several  computers  or  a  laptop.  Multiplexing  of  each  seat  is  accomplished  using 
KVM  (Keyboard,  Video,  Mouse)  switches  which  allow  a  single  station  to  connect  with 
up  to  four  computers. 

C.  NAVAL  POSTGRADUATE  SCHOOL  RECONFIGURABLE  CYBER¬ 
EXERCISE  LABORATORY  NETWORK  DESIGN 

The  NPS  RCEL  utilized  existing  equipment,  which  was  in  place  as  a  result  of 
previous  acquisitions  and  funded  exercises.  The  equipment  currently  includes:  16  Dell 
Servers,  1  Apple  G4,  Cisco  4224  Eayer  3  switch,  Cisco  Routers  (numerous),  Cisco  FIX 
506  Eirewall,  2  Dell  Laptops,  2  SunNetra  XI  servers,  numerous  small  hubs  and  switches. 
The  RCEL  also  benefits  from  relationships  with  local  corporations  Eor  example,  Cisco 
Systems  recently  donated  several  routers,  switches,  and  a  Fix  506  firewall. 

Figure  5i  presents  the  general  topology  of  the  NPS  RCEL  network.  The  topology 
is  based  on  the  concept  that  the  NPS  RCEL  is  the  Top  Level  DNS  Domain  for  this  and 
any  attached  networks. 

In  the  topology,  hubs  1 ,2  &  3  are  treated  as  non-existent:  they  have  no  impact  on 
security.  These  “non-existent”  hubs  are  part  of  the  data  collection  package  that  provides 
a  means  for  assessment  and  monitoring.  Connections  shown  with  dotted  lines  are 
transient;  i.e.,  they  indicate  connectivity  that  may  be  put  in  place  when  needed. 


1  The  topology  was  developed  by  Mr.  Ken  Johns,  Ms.  Jennifer  Guild  and  the 

author. 
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NPS  RCEL  Topology 


Public  Services 


Figure  5,  NPS  RCEL  Topology 

To  give  the  student  a  realistie  experience  managing  complex  networks  the  NPS 
RCEL  uses  subnets  and  makes  extensive  use  of  VLANs.  In  the  topology  in  Ligure  5, 
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server  IP  addresses  are  fixed  and  eorrespond  to  the  VLAN  (Virtual  Loeal  Area  Network) 
to  whieh  the  server  is  assoeiated.  Dynamic  Host  Configuration  Protocol 
(DHCP)[DRO01]  addresses  are  provided  for  individual  non-server  workstations. 
Employing  VLANs  provides  the  opportunity  for  the  students  to  create  ACLs  (Access 
Control  Lists)  for  the  Cisco  switch  and  perform  specific  filtering  for  each  network 
segment  based  on  that  segment’s  functions  and  applications. 

Designing  a  RCEL  can  be  taken  to  extremes.  Eor  example,  networks  can  be 
constructed  with  VPN  (  Virtual  Private  Network)  encrypted  tunnels  between  every  major 
device  (refer  to  RECs  2401,  2406,  2407,  2408  and  2409),  complex  naming  schemes, 
exhaustively  long  and  complex  passwords,  encryption  on  all  data  moving  between 
devices  and  so  on.  Such  complexity,  while  apparently  increasing  security,  is  very  hard  to 
maintain.  In  the  book  Security  in  Computing,  Pfleeger  [PEEOl]  argues  complexity 
actually  decreases  the  overall  security  due  to  increased  likelihood  of  configuration 
mistakes,  and  the  added  complexity  of  managing  and  verifying  correct  security 
implementation.  An  effective  RCEE  then  is  a  balance  of  functionality,  security  and 
student  usability. 

The  RCEE  is  designed  to  incorporate  as  much  functionality  of  a  real  network 
environment  as  possible.  The  network  operating  system  (NOS)  of  the  network  shown  in 
Eigure  5  resides  on  the  PDC  and  BDC  servers.  The  NOS  provides  the  applications  that 
deliver  network  services  such  as  authentication  and  domain  control.  The  NOS  for  the 
RCEE  at  NPS  is  Microsoft  Windows  2000  Server. 

D,  STATIONS  WITHIN  THE  RECONFIGURABLE  CYBER-EXERCISE 

LABORATORY 

Eor  educational  purposes,  the  RCEE  is  organized  into  a  number  of  “stations.” 
Each  station  is  defined  as  an  area  of  responsibility  which  can  be  assigned  to  a  student  or 
group.  In  keeping  with  Saltzer  and  Schroeder’s  design  principles  of  economy  of 
mechanism  and  separation  of  privilege  [SAEOl],  each  station  has  a  singular  purpose  , 
e.g.,  to  provide  network  authentication  or  provide  network  switching.  Students  assigned 
to  a  particular  station  are  expected  to  “get  to  know”  that  station  thoroughly  and  how  that 
station  integrates  into  the  larger  RCEE  network. 
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The  station  concept  provides  flexibility  while  providing  a  measure  of  control  and 
accountability  over  students.  Stations  can  be  assigned  by  student  interest,  skill, 
availability  or  any  scheme  suitable  to  the  circumstances  of  the  exercise. 

Within  the  NFS  RCEL,  23  stations  have  been  identified  and  are  described  below. 
A  *  indicates  stations  that  are  planned  but  not  implemented  and  **  indicates  a  station  that 
is  not  connected  to  any  of  the  others  as  of  the  completion  of  this  document  (March  26, 
2004). 

1.  Authentication  -  This  station  establishes  and  manages  the  network 
authentication  service.  Users  are  required  to  authenticate  to  some  network 
service  such  as  X-500  (An  OSI  protocol  for  managing  online  directories  of 
users  and  resources.).  Active  Directory,  or  Novell.  The  station  manager 
installs  and  configures  the  authentication  technique  and  associated 
software  and  hardware  to  be  used. 

2.  PDC  (Primary  Domain  Controller)  -  The  PDC  holds  the  SAM  (System 
Account  Manager)  Sam  is  a  password  database  stored  as  a  registry  file  in 
Windows  based  networks  and  authenticates  access  requests  from 
workstations  and  servers  in  the  domain.  The  Authentication  service  may 
be  combined  with  this  station.  The  person(s)  assigned  to  this  station 
would  implement  and  manage  this  functionality  in  accordance  with  the 
network  architecture  plan. 

3.  BDC  (Backup  Domain  Controller)  -  As  the  name  implies,  this  server 
backs  up  the  PDC  in  case  of  failure  (or  attack).  The  most  important  role 
here  is  managing  how  the  network  switches  to  the  BDC  in  the  event  on  an 
interruption  of  the  PDC. 

4.  Vulnerability  Assessment  -  This  station  is  used  to  port  scan,  enumerate 
and  probe  the  associated  network  to  assess  the  effectiveness  of  the 
implemented  security  plan.  This  station  is  a  laptop  (in  the  NPS  RCEL) 
connected  only  for  testing  and  monitoring  purposes.  It  is  not  considered 
part  of  the  active  network  and  is  connected  to  the  network  at  any  point  to 
provide  active  testing  or  data  collection  via  a  dumb  hub.  The  manager  of 
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this  station  is  responsible  for  aequiring  the  vulnerability  assessment  tools, 
knowing  their  proper  use,  performing  active  probing  and  vulnerability 
assessments  and  reporting  results  to  those  responsible  for  configuring  the 
servers  or  services. 

5.  DNS  (Domain  Name  System)  -  The  DNS  server  provides  a  query  service 
used  for  translating  hostnames  into  IP  addresses.  The  functionality  of  the 
DNS  server  is  specified  by  IETF  (Internet  Engineering  Task  Force)  STD 
13  [MOCOI].  STD  13  is  published  by  the  Internet  Engineering  Task  Force 
specifies  standards  and  implementation  characteristics  of  DNS.  There  are 
numerous  publicly  available  DNS  implementations.  The  Naval 
Postgraduate  School  chose  DJBDNS  (available  from 
http://ww.djbdns.org)  for  the  RCEE[DJB01]. 

6.  FTP  (File  Transfer  Protocol)  -  This  station  provides  a  server  running  the 
FTP  server  daemon.  This  service  allows  users  to  move  data  into  (FTP  put) 
and  out  (FTP  get  and  mget)  of  the  server.  The  file  transfer  protocol  is 
specified  in  RFC-959  [POSOl].  There  are  many  FTP  vulnerabilities  and 
exploits.  A  recent  (January  2004)  search  of  the  CERT  database  found  282 
(http://www.cert.org)  exploits  and  vulnerabilities  related  to  FTP  services. 

7.  *PKI  CA/RA(Public  Key  Infrastructure  Certificate  and  Registration 
Authority)  [NAT02]-  This  station  will  include  a  local  certificate  authority 
which  will  be  able  to  issue,  revoke  and  validate  PKI  certificates  to  users. 
These  certificates  are  only  valid  on  the  RCEF  network  or  other  exercise- 
participant  networks  attached  via  the  VPN. 

8.  Email  -  This  station  implements  an  email  server  such  as  MS  Exchange, 
Eudora,  Finux  email  server,  etc.  The  choice  of  software  is  decided  in  the 
analysis  and  design  of  the  network.  Each  organization  may  have  a 
preference  or  constraint  that  determines  the  choice  of  email  service.  The 
NPS  RCEF  implements  Finux  mail  (because  it  is  free).  Email  distribution 
and  security  rules  are  in  accordance  with  the  particular  exercise  security 
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plan.  Like  FTP,  E-mail  is  another  primary  souree  of  intrusion  by 
outsiders.  The  proper  seeurity  configuration  of  this  service  is  crucial. 

9.  Web  -  This  station  provides  Web  services  in  as  specified  in  RFC-1945 
[BER02].  It  is  one  of  the  most  vulnerable  parts  of  the  network  as  the  web 
server  must  allow  access  to  fulfill  its  primary  function  of  delivering 
content.  The  manager  of  this  station  implements  web  pages  that  provide 
the  necessary  functionality  to  access  databases,  run  CGI  (Common 
Gateway  Interface)  scripts  and  Java  scripts.  This  station  is  a  primary 
target  for  attack. 

10.  *  Wireless  -  Wireless  access  points  allow  authorized  users  with  wireless 
devices  to  access  the  RCEE  network.  The  manager  of  this  station  must 
carefully  guard  against  access  by  non-RCEE  users.  The  manager  must 
also  be  knowledgeable,  or  willing  to  learn,  about  wireless  technology  and 
the  implications  of  implementing  wireless  solutions.  To  prevent  the 
“parking  lot”  attack  described  by  Arbaugh[ARB01]  strong  authentication 
is  required.  Implementing  this  station  involves  not  only  the  primary 
RCEE  instructor,  but  the  local  network  administrator  as  well. 

11.  *HoneyNet  -  The  manager  of  this  station  will  be  responsible  for 
implementing  the  selected  HoneyNet  product  and  writing  the  proper  router 
scripts  to  direct  selected  traffic  into  the  trap.  Although  a  lot  of  legal 
wrangling  is  currently  making  the  news  regarding  HoneyNet  [PFEOl, 
MCCOl]  implementations,  this  station  provides  a  useful  learning  tool  in 
the  RCEE.  In  addition  to  traditional  HoneyNet  products,  unique 
technologies  such  “Ea  Brea  Tar  Pits”  software  or  other  “sticky”  solutions 
can  be  implemented  and  tested. 

12.  *SCADA  (Supervisory  Control  and  Data  Acquisition)  -  The  CISR, 
Center  for  Information  Systems  Security  Studies  and  Research,  has 
acquired  the  equipment  for,  and  is  active  in,  SCADA  research.  As  that 
effort  matures,  SCADA  might  become  another  dimension  of  the  RCEE  in 
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the  future.  Not  all  schools/ageneies  that  implement  a  RCEL  will 
neeessarily  be  interested  in  SCADA  network  security 

13.  MySQL  (Database  server)  -  This  station  represents  a  typical  data  server 
for  a  web  page.  MySQL  was  chosen  as  the  database  simply  because  it  is 
free  and  widely  supported  on  the  Internet.  The  database  server  in  the  NFS 
RCLL  is  configured  with  MySQL.  This  choice  was  made  because 
MySQL  is  open  source.  Any  significant  database  engine  such  as  Oracle  or 
MS-SQL  or  even  MS  Access  can  be  used  for  this  purpose.  The  station 
manager  must  know  SQL  and  database  design.  The  database  typically 
provides  or  accepts  data  from  the  Web  application  but  may  be  directly 
accessed  as  well.  Most  modern  networks  have  some  data  retrieval  or 
search  capability,  so  this  station  is  significant  in  providing  a  “real  world” 
aspect  to  the  RCEL. 

14.  Routers  -  The  RCEL  has  several  routers  which  can  be  connected 
separately  or  in  an  HSRP  (Hot  Standby  Routing  Protocol)  [LAROl] 
failover  configuration.  The  routers  are  a  key  element  of  the  network’s 
perimeter  security.  The  manager  of  this  station(s)  will  configure  the 
software  (i.e.,  lOS  running-configuration  file)  and  write  and  verify 
filtering  access  control  lists  (ACLs).  Most  students  have  not  had  lOS 
(Internetwork  Operating  System,  ©Cisco  Systems)  experience,  so  it  is 
essential  for  the  instructor  to  provide  assistance.  A  vast  amount  of  helpful 
documentation  is  available  on  the  Internet  and  from  official  government 
sources  like  the  NSA  (National  Security  Agency)  and  NIST  (National 
Institute  of  Standards  and  Technology). 

15.  Firewall  -  Like  the  routers,  the  firewall  is  programmed  to  implement  a 
major  portion  of  the  security  plan.  The  RCEL  uses  a  Cisco  Fix®  506 
firewall  which  is  programmed  in  lOS  like  the  router.  The  station  manager 
must  program  the  Firewall  to  allow  or  block  traffic  as  appropriate  to  the 
exercise.  For  organizations  building  an  RCEL,  other  firewall  products  are 
available.  Each  firewall  product  will  have  a  different  configuration 
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interface  and  different  strengths  and  weaknesses.  Restrictions  on  which 
products  can  be  used  may  apply  for  organizations  within  the  DoD  as  not 
all  such  products  are  manufactured  in  the  US. 

16.  IDS  (Intrusion  Detection  System)  -  The  NFS  RCEL  IDS  station  is 
connected  to  the  border  router  via  a  hub.  Tapping  the  network  before 
filtering  allows  the  IDS  to  collect  more  traffic  to  get  a  better  baseline  of 
traffic  patterns  and  to  gather  the  largest  amount  of  data  for  analysis. 
Tapping  after  the  firewall  would  reduce  traffic  as  the  easily  filtered  or 
nuisance  traffic  would  have  been  eliminated.  As  a  scholastic  environment, 
NFS  chose  to  gather  the  maximum  amount  of  traffic  to  facilitate  analysis. 
NFS  uses  Snort™  from  Snort.org.  Snort™  is  popular  and  widely 
supported  by  resources  on  the  Internet.  The  station  manager  will  be 
required  to  install  and  set  up  Snort™  to  comply  with  the  security  and 
analytical  requirements  developed  for  the  exercise. 

17.  DHCF  (Dynamic  Host  Configuration  Frotocol)  -  This  function  can  be  part 
of  the  Frimary  Domain  Controller  or  may  exist  separately.  The  manager 
of  this  station  configures  the  DHCF  service  in  accordance  with  the  RCEL 
exercise  topology.  The  purpose  of  DHCF  is  to  provide  IF  addresses  to 
stations  which  do  not  have  IF  addresses  already  assigned  to  them. 

18.  Disk  Imaging  -  This  station  provides  backups  of  setups  or  configurations 
in  the  event  a  disk  is  corrupted.  The  ghost  images  are  captured  from  a 
well  defined  configuration  prior  to  an  exercise.  The  Naval  Fostgraduate 
School  uses  Symantec’s  Norton  Ghost  product  which  is  ideal  for  this  task. 
There  are  other  products  for  this  purpose  such  as  Imagit  1.0  which  can  be 
downloaded  as  a  trial  version  but  is  costly  to  purchase.  The  station  may 
also  use  an  existing  utility  like  dd(©  1989-2000  AT&T  Corp.).  The 
advantage  of  dd  is  that  forensic  duplicates  can  be  made  and  data  extracted 
when  the  exercises  are  over. 

19.  VFN  (Virtual  Frivate  Network)  NAT15,  NATIO,  RUSOl,  MCCOl, 
KENOl,  LAROl,  ERAOl,  NAT  17]-  This  station  is  the  most  critical  station 
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in  assuring  RCEL  success  and  security.  Since  the  VPN  isolates  the  RCEL 
from  the  Internet,  it  must  be  eonfigured  earefully  and  eheeked  thoroughly. 
The  VPN  manager  will  also  interaet  with  any  other  organizations  engaged 
in  an  exereise,  providing  eritieal  IP  address  information  and  VPN 
eonfiguration  data  to  allow  for  sueeessful  intereonneetion  between 
exereise  partieipants. 

20.  Syslog  (Auditing)  -  [ROSOl,  DAYOl,  KEEOl,  GEROl]  This  station 
eolleets  error  messages  and  event  log  information  for  later  analysis.  The 
manager  of  this  station  configures  not  only  the  syslog  server  but  all 
reporting  servers.  The  reporting  servers  are  configured  to  provide  specific 
information  in  the  syslog  format  [ROSOl,  DAYOl].  Auditing  is  reviewing 
and  analyzing  in  some  way,  electronie  or  manual,  the  information  eaptured 
and  stored.  [KEEOl].  Gerhards  [GEROl]  provides  a  speeifie  format  for 
arriving  syslog  information  and  it  is  suggested  in  this  work  that  managers 
of  the  syslog  station  adopt  Gerhards’  proposed  standard. 

21.  Switehes  -  The  switeh  aets  upon  the  eontent  of  the  Ethernet  frame  it 
reeeives  and  forwards  the  frame  to  the  appropriate  outbound  Ethernet  port. 
The  switch  provides  isolation  between  ports  and  VLANs  to  allow  for 
traffie  segregation  and  management.  The  NPS  RCEL  eurrently  uses  a 
Cisco  4224  Catalyst  switch  programmed  in  Ciseo  lOS  vl2.0.  This  switch 
provides  for  VLANs  with  separate  ACEs.  The  exercise  activities  for  any 
given  eonfiguration  will  be  the  guide  for  setting  up  the  switeh.  NSA  and 
NIST  provide  some  exeellent  guides  [NAT  1 6,  NAT  1 7],  and  suggested 
eonfigurations  for  network  switehes  that  serve  well  as  a  starting  point  for 
switeh  eonfiguration.  Ciseo  also  provides  exeellent  doeumentation. 

22.  Printer  -  Typieal  eonfiguration  of  a  printer  takes  only  a  few  minutes.  The 
importanee  of  the  printer;  however,  is  not  so  mueh  in  its  explieit 
funetionality  as  in  its  proper  (secure)  eonfiguration  to  prevent  haekers 
from  aeeessing  the  printer  and  possibly  gaining  aeeess  to  other  systems  on 
the  RCEL  network.  Many  modern  network  printers  run  small  web  servlets 
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which  are  exploitable  if  visible  to  the  network.  These  printers  also  often 

have  open  telnet  and  FTP  ports  and  services.  Printers  also  have  a 

language  of  their  own  whieh  can  be  exploited.  For  example,  Hewlett 

Paekard  printers  use  PCL  (Printer  Control  Language)  and  PJL  (Printer  Job 

Language)  to  manage  and  eontrol  printing  tasks.  The  PJL  eode  below 

written  and  published  by  a  haeker  known  as  LittleWOlf  [LITOl]  will 

eause  a  eomplete  denial  of  serviee  by  putting  the  printer  to  sleep. 

#!/bin/sh 
NC=/usr/bin/ne 
TRUE=/usr/bin/true 
ECHO=/usr/bin/eeho 
while  ($TRUE);  do 

$NC  $1  9100X@PJE  OPMSG  DISPLAY=\"Printer  Eault  \" 

sleep  2 

done 

The  manager  of  the  printer  station,  therefore,  has  a  ehallenging  assignment 
beeause  few  people  have  experienee  with  printer  interfaces  and 
teehnologies.  The  learning  curve  on  this  station  is  espeeially  steep. 

23.  **DIA  (Dedicated  Internet  Access)  -  This  station  is  added  as  a 
eonvenienee  to  faeilitate  eommunication  and  researeh  on  the  Internet 
while  the  RCEE  remains  isolated.  It  is  not  assigned  to  a  speeifie  student 
manager,  rather  the  instruetor  or  area  manager  must  ensure  this  station 
remains  isolated  from  the  RCEE  LAN.  The  DIA  station  is  wired 
separately  and  has  only  one  NIC  (Network  Interfaee  Card)  so  it  eannot  be 
on  both  networks  simultaneously. 

Eaeh  station  also  represents  some  hardware  and  interconnection  into  the  network 
(exeept  the  dedieated  internet  aeeess  station).  When  fully  implemented,  the  RCEL  will 
require  a  lot  of  time  to  configure  eorrectly.  If  only  the  assigned  lab  hours  of  a  typieal 
eourse  (usually  2)  are  used,  it  will  take  most  of  the  semester/quarter  to  achieve  optimal 
full  implementation  and  testing.  . 
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III.  SURVEY  OF  INFORMATION  ASSURANCE  TOPICS  IN 
THE  NAVAL  POSTGRADUATE  SCHOOL  lA 
CURRICULUM 


NPS  is  one  of  few  sehools  in  the  country  to  have  an  information  assurance  track 
at  the  Master’s  level.  CISR  (The  Center  for  Information  Systems  Security  Studies  and 
Research)  oversees  the  lA  track.  The  curriculum  matrix  below  shows  the  courses 
required  in  the  CISR  lA  track  at  the  Naval  Postgraduate  School,  and  is  specific  to  the 
Scholarship  For  Service  program[SFS01].  The  courses  in  grey  are  those  that  specifically 
address  information  security  topics. 


Table  3,  Naval  Postgraduate  School  Information  Security  Course 

Matrix  for  SFS  Students 


n* 

Quarter 

(Fall/Spring) 

CS  3902  (4-2) 
Programming 

Paradigms 

CS  3502  (4-2) 
Computer  Comms 
and  Networks 

CS  3650  (6-0) 
Algorithms  and 
Automata 

CS  3600  (4-2) 
Information 
Assurance: 
Introduction  to 
Computer  Security 

CS  4900  (0-2) 
Technology, 
Innovation  and 
Leadership  I 

^nd 

Quarter 

(Winter/Summer) 

CS  3310  (4-0) 

Artificial 

Intelligence 

CS  3690  (4-2) 
Network  Security 

CS  3204  (3-2) 

Human-Computer 

Interaction 

CS  3675  (3-2) 
Network 
Vulnerability 
Assessment 

CS  4901  (0-2) 
Technology, 
Innovation  and 
Leadership  II 

3rd 

Quarter 

(Spring/Fall) 

CS  3670  (3-2) 
Information 

Assurance: 
Management  of 
Security  Systems 

CS  3320  (3-1) 
Database  Systems 

CS  4600  (3-2) 

Secure  Systems 

CS  4677  (3-2) 
Computer  Forensics 

4th 

Quarter 

( Summer/W  inter) 

CSO810 

Thesis 

SW  3460  (3-1) 
Software 

Methodology 

MV  3202  (3-2) 
Computer  Graphics 
Programming 

CS4605  (3-1) 
Security  Policies, 
Models  and 

Formal  Methods 

s'" 

Quarter 

(Fall/Spring) 

CS0810 

Thesis 

CS  4603  (3-1) 
Database  Security 

Track  Elective 

CS  4680  (3-0) 

Intro  to  C&A  and 

CS  4685  (0-2) 

Case  Studies 

e'” 

Quarter 

(Winter/Summer) 

CS0810 

Thesis 

CS  0810 

Thesis 

OS  3307  (4-1) 
Modeling  Practices 
for  Computing 

CS  4614  (3-1) 
Advanced  Topics  in 
Computer  Security 
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In  the  above  matrix,  the  shaded  eourses  might  benefit  from  praetieal  exercises 
within  the  RCEL.  The  intention  of  this  work  is  to  show  representative  applications  of  the 
RCEL  in  the  context  of  these  and  other  courses  selected  from  the  lA  track. 

In  this  chapter,  a  list  of  lA  topics  is  presented.  There  are  other  possible  lA  topics 
covered  at  other  teaching  organizations,  but  this  list  is  reasonably  comprehensive,  and 
provides  a  grounding  for  any  lA  program. 

Eour  major  concerns  of  lA  are  [IRV04];  confidentiality,  integrity,  availability,  and 

authenticity.  Non-repudiation  is  sometimes  included  as  a  fifth  major  attribute  of  lA; 

however,  here  non-repudiation  is  considered  to  be  derived  from  a  combination  of 

mechanisms  used  to  achieve  integrity  and  authenticity,  and  is  therefore  not  treated  as  a 

unique  attribute.  The  following  definitions  are  from  the  NSTISSI  No.  4009  National 

Information  Assurance  Glossary  created  by  the  NSA  [CNSOl]. 

Confidentiality:  Assurance  that  information  is  not  disclosed  to 

unauthorized  individuals,  processes,  or  devices.  The  process  of  teaching 
how  to  enforce  confidentiality,  therefore,  must  include  an  emphasis  on 
cryptography  as  well  as  mechanisms  for  protected  communication,  access 
control  mechanisms  and  privacy  controls. 

Integrity:  Quality  of  an  IS  [information  system]  reflecting  the  logical 
correctness  and  reliability  of  the  operating  system;  the  logical 
completeness  of  the  hardware  and  software  implementing  the  protection 
mechanisms;  and  the  consistency  of  the  data  structures  and  occurrence  of 
the  stored  data.  Note  that,  in  a  formal  security  context,  integrity  is 
interpreted  more  narrowly  to  mean  assured  detection  of  accidental  or 
intentional  modification  of  information. 


Integrity  can  only  be  assured  if  there  is  a  certainty  that  data  (the  resource)  was  not 
inappropriately  altered.  To  teach  integrity,  topics  relating  to  interception,  replay,  data 
insertion,  data  modification,  message  authentication,  hashing,  change  detection,  digital 
signatures  and  key  management  must  be  included.  The  following  definitions  are  also 
from  the  NSTISSI  No.  4009. 

Availability:  Timely,  reliable  access  to  data  and  information  services  for 
authorized  users.  Topics  related  to  availability  that  must  be  taught  in  an 
effective  security  program  include  backup  strategies,  data  and  system 
redundancy,  interception,  blocking,  denial  of  service  issues  and  physical 
protection. 


20 


Authentication:  Security  measure  designed  to  establish  the  validity  of  a 
transmission,  message,  or  originator,  or  a  means  of  verifying  an 
individual's  authorization  to  receive  specific  categories  of  information. 

Topics  related  to  authenticity  that  must  be  taught  separately  include  the 
threat  related  to  spoofing  data  or  users,  user  authentication,  shared  secrets, 
digital  certificates  and  digital  signatures.  There  will  be  overlap  with  topics 
relating  to  the  achievement  of  integrity;  however,  especially  in  the  area  of 
hashing  and  digital  signatures. 

These  four  critical  concerns  form  the  foundation  of  lA  and  surface  frequently  in 
the  NFS  lA  curriculum.  Here  they  will  be  used  to  form  the  starting  point  of  our 
identification  of  topics  that  can  be  taught,  demonstrated,  or  discovered  in  the  RCEL.  Not 
all  lA  topics  lend  themselves  well  to  RCEL  lab  exercises.  Our  focus  in  this  work  is  on 
those  topics  supported  by  RCEL  activities. 

A,  MODEL  lA  COURSES  AND  POSSIBLE  RCEL  APPLICATION 

The  Naval  Postgraduate  School’s  Computer  Science  Department’s  security 
curriculum  (at  the  time  of  this  writing)  contains  the  courses  that  will  be  discussed  here. 
This  list  is  not  exhaustive,  but  rather  representative.  The  list  presented  gives  a  broad 
perspective  of  the  possible  uses  of  the  RCEL. 

Please  note,  the  following  course  descriptions  are  taken  from  the  NFS  online 
catalog  (http://cisr.nps.navy.mil/academics.html)  and  are  italicized  to  distinguish  them 
from  the  remainder  of  this  work. 

1.  CS-3600  (4,  2)  Information  Assurance:  Introduction  to  Computer 

Security 

Provides  a  comprehensive  overview  of  the  terminology,  concepts,  issues,  policies, 
and  technologies  associated  with  the  field  of  Information  Assurance.  It  covers  the  notions 
of  threats,  vulnerabilities,  risks  and  safeguards  as  they  pertain  to  the  desired  information 
security  properties  of  confidentiality,  integrity,  authenticity  and  availability  for  all 
information  that  is  processed,  stored,  or  transmitted  in  information  systems. 

RCEL  activities  available  for  the  lab  section  of  this  class  include:  examining  the 
exercise  network  configuration,  demonstrating  possible  vulnerabilities  through  scanning 
or  probing  the  network,  demonstrating  trusted  paths  by  showing  login  procedures  and 
how  the  trusted  path  is  called,  firewall  and  router  setup  can  be  shown  by  the  attempting  to 
transmit  an  improper  or  filtered  packet  into  the  network,  etc. 
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There  are  also  many  potential  applieations  of  eryptography  in  the  RCEL.  When 
the  PKI  station  is  aetivated,  it  will  become  even  more  so  (e.g.,  dynamically  issuing  server 
certificates,  validating  certificates  for  relying  parties,  etc.).  Existing  cryptographic 
applications  include  most  authentication  schemes,  the  construction  and  operation  of 
VPN’s,  and  multiple  file  encryption  schemes  available  on  the  various  operating  systems. 

2.  CS-3670  (3,  2)  Information  Assurance:  Secure  Management  of  Systems 

Provides  students  with  a  security  manager’s  view  of  the  diverse  management 

concerns  associated  with  administering  and  operating  an  automated  information  system 
facility  with  minimized  risk.  Students  will  examine  both  the  technical  and  non-technical 
security  issues  associated  with  managing  a  computer  facility,  with  emphasis  on  DoD 
systems  and  policies.  Students  will  earn  CNSS  (formerly  NSTISSI)  certification  for: 
INFOSEC  professional,  Systems  Administrator,  and  ISSO. 

The  point  of  this  class  is  to  teach  how  to  securely  manage  computer  systems.  The 
RCEE  provides  an  excellent  example  system  as  opportunities  for  demonstrating  best 
practices  in  secure  management  abound.  The  great  advantage  of  the  RCEE  is  that  a 
failure  of  a  security  practice  here  is  not  catastrophic:  students  can  make  mistakes  in  a  safe 
environment. 

Activities  in  the  RCEE  for  this  class  might  include  security  surveys  and 
checklists,  management  policy  development,  implementation  and  compliance,  security 
properties  of  the  network  and  how  they  are  implemented,  and  hands-on  writing  of  ACEs 
for  routers  and  firewalls.  Other  activities  are  limited  only  by  time  and  the  imagination  of 
the  instructor. 

3,  CS-3675  (3,  2)  Network  Vulnerability  Assessment 

This  course  is  designed  to  give  the  student  exposure  to  Internet  security  threats  in 
a  lab  environment.  Lectures  and  labs  provide  the  student  with  a  "hands  on"  experience 
with  current  network  attacks  and  vulnerabilities.  Foot-printing,  scanning,  enumeration 
and  escalation  are  addressed  from  an  attack  prospective.  Emphasis  on  detection  and 
protection  of  critical  data  and  nodes  is  addressed.  A  final  project  that  demonstrates  skills 
and  knowledge  is  required. 


22 


During  this  course,  the  students  are  taught  how  a  variety  of  exploits  work  and  are 
introdueed  to  tools  for  seanning,  enumerating,  and  penetrating  systems.  Use  of  the  RCEL 
allows  students  to  safely  use  these  tools  against  a  “real”  system.  In  addition,  assessing  the 
vulnerability  of  the  RCEL  during  a  student  attaek  exereise  and  adjusting  seeurity  in  an 
effort  to  thwart  sueh  aetivity  gives  students  within  the  RCEL  praetieal,  real  experienee. 

4.  CS-3690  (4,  2)  Network  Security 

Addresses  the  concepts  and  technologies  used  to  achieve  confidentiality,  integrity, 
authenticity  and  availability  in  a  networked/internetworked  environment.  Topics  include: 
fundamentals  of  TCP/IP,  switching  and  routing,  core  network  security  principles, 
firewall  types  and  methodology,  packet-level  traffic  analysis,  cryptographic  protocols, 
virtual  private  networks,  and  public  key  infrastructures. 

This  elass  starts  by  strengthening  the  student’s  understanding  of  networking.  The 
RCEL  will  be  a  major  part  of  that  by  allowing  the  students  to  aetually  see  and  test  various 
aspeets  of  a  funetioning  network. 

5.  CS-4600  (3,  2)  Secure  Computer  Systems 

This  course  covers  implementation  of  protection  for  monolithic  and  distributed 
secure  computer  systems.  The  problems  of  subversion  and  confinement  are  addressed 
through  lifecycle  assurance  methodologies  for  highly  secure  components.  Topics  include: 
protection  hardware,  implementing  virtual  machines  through  effective  memory 
management  techniques,  synchronization  mechanisms,  critical  sections,  SWE 
methodologies,  and  configuration  mgt  techniques. 

The  RCEL  ean  provide  a  test  bed  for  the  Elaw  Hypothesis  Methodology  (EHM) 
used  in  this  elass.  Eor  example,  red  team  (attaek  aetivities)  used  in  the  RCEL  during  an 
exereise  may  serve  as  emp ideal  proof  of  the  existenee  of  a  flaw. 

6.  CS-4603  (3, 1)  Database  Security 

Course  topics  include:  policies  for  information  integrity  and  confidentiality  of 
database  (DB)  systems,  modeling  of  secure  DB  systems,  implementation  issues  (e.g., 
atomicity,  serialization,  and  view-based  control),  security  in  statistical  DBs,  security 
approaches  for  object-oriented  DBs,  multi-tier  architecture  security  issues,  privacy, 
aggregation  and  inference,  and  military  applications  of  secure  DBs. 
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The  RCEL  provides  for  a  database  station.  This  station  serves  as  a  demonstration 
platform  for  database-dependent  applieations.  Many  applieations,  rely  on  databases  to 
eolleet,  organize  and  provide  data  on  demand.  The  students  assigned  to  this  station  will 
benefit  from  the  interaction  of  the  database  with  other  stations  of  the  RCEL. 

7,  CS-4614  (3, 1)  Advanced  Topics  in  Computer  Security 

This  course  covers  advanced  topics  in  software,  communications,  and  data 
security.  Military  and  commercial  INFOSEC  policies  are  studied,  including:  software 
and  hardware  subversions;  advances  in  operating  systems,  databases  and  network 
security;  evaluation  criteria  for  secure  systems;  logics;  cryptographic  protocols; 
techniques  for  implementing  supporting  policies;  and  emerging  issues. 

The  RCEL  could  serve  as  a  demonstration  platform  for  many  of  the  topics 
discussed  in  this  course. 

8,  CS-4677  (3,  2)  Computer  Forensics 

Covers  the  fundamentals  of  computer  forensics  in  the  context  of  DoN/DoD 
information  operations.  Students  examine  how  information  is  stored  and  how  it  may  be 
deliberately  hidden  and/or  subverted.  Coverage  includes:  practical  forensic  examination 
and  analysis,  techniques  of  evidence  recovery,  legal  preparation  of  evidence,  common 
forensic  tools,  the  principle  of  original  integrity,  disk  examination,  and  logging. 

Course  exercises  may  be  tailored  to  examine  current  and  past  attacks  against  the 
RCEL.  It  may  also  be  configured  to  determine  how  an  internal  hacker  (in  the  form  of  the 
instructor  or  another  class)  might  compromise  the  systems.  Additionally,  a  wealth  of 
valuable  forensic  information  will  be  generated  every  time  an  exercise  of  any  scope  is 
conducted. 

9,  CS-4680  &  4685  (3,  0)  (0,  2)  Introduction  to  Certification  and 
Accreditation  and  System  Certification  Case  Studies 

This  course  provides  an  introduction  to  the  Certification  and  Accreditation 
(C&A)  process  as  applied  to  procurement  and  lifecycle  management  of  DoD  and  Federal 
information  systems.  Topics  include:  principal  roles,  functional  components,  and  output 
documents  of  the  C&A  process;  and  a  comparison  of  the  government  C&A  process 
specification  currently  in  use  (DITSCAP/NIACAP,  FIPS,  DCID  6/3)  with  the  emerging 
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effort  to  produce  a  unified  specification.  CS-4685  is  part  two  of  the  two  course  (CS4680 
and  CS4685)  Certification  and  Accreditation  course  sequence.  Students  will  investigate 
2-3  case  studies  of  systems  that  have  been  evaluated,  and  then  apply  the  lessons  of 
CS4680  to  make  final  accreditation  decisions.  Successful  completion  of  this  two  course 
sequence  leads  to  NSTISSI DAA  and  Certifier  certification. 

The  RCEL  exercises  will  generally  follow  the  development  guidelines  prescribed 
by  DoD.  As  such,  the  RCEL  network  is  subject  to  the  DITSCAP  just  as  any  operational 
DoD  network.  Certification  and  accreditation  students  could  construct  a  SSAA  (System 
Security  Authorization  Agreement)  for  each  configuration  of  the  RCEL. 
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IV.  COMPUTER  SECURITY  LEARNING  OBJECTIVES 
ADDRESSABLE  IN  THE  RCEL 


A,  ACADEMIC  AND  INDUSTRIAL  STANDARDS  FOR  INFORMATION 
ASSURANCE 

Academia  in  the  U.S.  has  traditionally  followed  the  reeommendations  of  IEEE 
(Institute  of  Eleetrical  and  Electronic  Engineers)  or  the  ACM  (Association  for  Computing 
Machines)  in  setting  up  educational  programs  in  computer  science. 

Unfortunately,  there  is  no  generally  accepted  standard  for  computer  seeurity 
edueation.  In  fact,  except  as  integrated  into  the  ACM/IEEE  [COM03]  guidelines,  there 
are  no  published  standards  for  computer  security  education  at  any  academic  level. 

There  are  several  published  standards  specific  for  training  in  information  security. 
Among  the  most  useful  are  the  National  Seeurity  Telecommunieations  and  Information 
Systems  Security  Instruction  (NSTISSI  )  standards: 

•  NSTISSI  No.  4011  -  National  Training  Standard  for  Information  Systems 
Security  (INEOSEC)  Professionals,  dated  20  June  1994 

•  NSTISSI  No.  4012  -  National  Training  Standard  for  Designated 
Approving  Authority  (DAA),  dated  August  1997 

•  NSTISSI  No.  4013  -  National  Training  Standard  for  System 
Administration  in  Information  Systems  Security,  dated  August  1997 

•  NSTISSI  No.  4014  -  National  Training  Standard  for  Information  Systems 
Security  Officers  (ISSO),  dated  August  1997 

•  NSTISSI  No.  4015  -  National  Training  Standard  for  Systems  Certifiers, 
dated  Deeember  2000 

Other  training  standards  exist  for  computer  security.  The  most  widely  recognized 

2 

is  CISSP  (Certified  Information  System  Security  Professional)  managed  by  (ISC) 
*^https://www. isc2.org/egi-bin/index.cgi).  CISSP  has  categorized  eomputer  security  into 
10  domains: 

1 .  Access  Control  Systems  and  Methodology 

2.  Applications  and  Systems  Development 
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3.  Business  Continuity  Planning 

4.  Cryptography 

5.  Law,  Investigation  and  Ethies 

6.  Operations  Seeurity 

7.  Physieal  Seeurity 

8.  Seeurity  Arehiteeture  and  Models 

9.  Seeurity  Management  Praetiees 

10.  Teleeommunieations,  Network  and  Internet  Seeurity 

The  ISC  and  other  eommereial  entities  provide  training  to  the  CISSP  standard 
and  eategorize  their  eourses  by  these  domains.  The  CISSP  standards  are  intended  to 
apply  strietly  at  a  praetieal,  eommereial  level.  Therefore,  theory  of  operating  systems, 
automata,  formal  methods  and  other  more  aeademieally  oriented  topies  are  not  ineluded. 

Eaeh  of  the  above  organizations  provides  guidanee  in  developing  training  eourses. 
The  foeus  areas  and  demareations  between  topies  provided  by  eaeh  is  helpful  in 
developing  eourses  and  ereating  learning  objeetives  for  lA  training. 

A  learning  objeetive  is  a  brief,  elear  statement  of  what  the  student  should  aehieve 
as  a  result  of  some  learning  aetivity.  It  should  link  the  learning  to  sueeessful  eompletion 
of  assigned  tasks.  A  well-written  learning  objeetive  is  speeifie  and  measurable.  It  forms 
the  basis  for  the  training  and  evaluation.  Teaming  aehieved  in  laboratory-based  aetivities 
enhanees  student  retention  and  eomprehension  [DALOl].  Hill  Carver  et  al.  [HIEOl], 
stated: 

The  use  of  [a]  dedieated  seeurity  laboratory  as  a  meehanism  for 
supporting  aetive  learning  was  very  benefieial.  Without  exeeption,  the 
blaek  teams  report  that  the  ability  to  implement  and  attempt  penetrations 
elevated  their  learning  above  that  possible  with  leetures. 

Eurther  supporting  this  viewpoint,  Irvine  [IRVOI]  stated: 

The  edueational  proeess  (for  eomputer  seeurity)  will  be  a  mix  of 
theory  and  praetiee,  leeture  and  lab,  so  a  elass  might  eonsist  almost 
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entirely  of  laboratory  exereises  or  have  very  few.  Certain  concepts  lend 
themselves  to  laboratory  exercises,  while  others  are  best  taught  at  the 
blackboard. 

When  designing  courses,  instructors  use  many  methods  to  develop  comprehensive 
learning  objectives.  An  important  concept  in  designing  learning  objectives  is  to  keep  the 
knowledge  and  experience  level  of  the  students  clearly  in  focus.  Older[OLD01] 
proposed  an  outcome-based  model,  “No  single  curriculum  can  possibly  address  all  of 
Information  Assurance;  concentrating  on  the  desired  educational  outcomes  helped  us 
determine  how  to  structure  our  program.”  When  designing  courses,  both  the  current  level 
of  expertise  and  the  desired  level  are  critical.  The  learning  objectives  must  collectively 
indicate  how  the  student  reaches  the  next  higher  level. 

Learning  objectives  are  achieved  through  student  activities.  For  this  work,  we  are 
specifically  interested  in  those  activities  that  take  can  place  in  the  RCEL  environment.  In 
the  next  section,  an  examination  of  those  activities  is  presented. 

B.  LEARNING  ACTIVITIES  SUPPORTED  IN  THE  RECONFIGURABLE 
CYBER-EXERCISE  LABORATORY 

The  RCEL  can  initially  be  thought  of  as  an  equipment  warehouse.  Thus,  all 
aspects  of  creating  a  network  still  apply.  The  only  action  not  undertaken  is  acquisition. 
In  Eigure  6,  the  three-step  DoD  life  cycle  is  shown  with  the  more  commercially  oriented 
six-step  approach  super-imposed  near  the  bottom  by  this  author  for  comparison.  The 
center  bar  of  the  figure  simply  shows  that  for  a  DoD  system,  certification  and 
accreditation  activities  are  on-going  throughout  the  system  life  cycle. 


Figure  6, 


Activities  in  the  RCEL  follow  the  life  eycle  through  all  phases.  High  level 
activities  derived  from  the  RCEL  include;  needs  analysis,  concept  development, 
preliminary  design,  implementation,  testing  and  operation.  In  addition,  the  RCEL  would 
include  post-existential  or  post-exereise  activities. 

Eor  clarifieation  of  activities  supported  in  a  RCEL,  a  walk  through  of  a  mock 
inter-scholastic  competition  exercise  might  prove  useful.  In  the  moek  exercise,  UoN 
(University  of  Nowhere)  has  asked  the  Naval  Postgraduate  Sehool  to  participate  in  a 
eyber  defense  exercise  in  the  Eall  quarter  (Oct.  to  Dec). 

The  Spring  quarter  eourses  begin  exercise  preparation.  Appropriate  on-going 
classes  prepare  a  preliminary  RCEL  design  and  assesses  the  functionality  needed.  A 
network  security  class  or  equivalent  course  assesses  the  security  requirements  and 
designs  security  strategies  for  the  various  components.  A  computer  forensics  class  might 
prepare  the  data-collection  meehanisms  for  the  lab  exercise. 

During  the  summer,  the  designs  prepared  by  various  classes  are  implemented. 
When  the  exereise  quarter  begins,  many  classes  become  involved  in  preparing  and 
engaging  in  the  exereise.  Examples  elasses  (from  the  NPS  curriculum)  that  may  be 
involved  include;  Network  Seeurity,  Network  Vulnerability  Assessment,  C&A,  Secure 
Management  of  Systems,  Computer  Eorensics,  Advaneed  Topics  in  Computer  Seeurity 
and  Introduction  to  lA. 

At  a  high  level,  many  learning  activities  and  teaehing  opportunities  took  place. 
Critical  thinking  and  problem  analysis  were  required  to  solve  a  set  of  real  challenges. 
Experiential  learning  took  plaee  in  determining  the  seope  of  the  pending  exereise  and 
determining  functionality  needed.  Critical  learning  aetivities  included;  preparing  a 
network  design  within  exercise  and  equipment  eonstraints,  providing  network 
connectivity,  optimizing  space  utilization,  ete.  Students  gained  experience  ereating  a 
security  strategy  that  meets  the  threat  or  attaek  posture  posed  by  the  exercise. 

When  building  a  network  within  DoD,  all  organizations  must  comply  with  DoD 
directive  8500.1  section  5.10.5,  which  directs  heads  of  DoD  eomponents  to;  “Identify  and 
include  lA  requirements  in  the  design,  aequisition,  installation,  operation,  upgrade  or 
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replacement  of  all  DoD  information  systems  for  which  they  have  responsibility.”  The 
RCEL  at  any  DoD  organization  will  also  be  instrumental  in  instructing  students  regarding 
compliance  with  that  directive,  and  perhaps  even  to  exceed  these  mandated  security 
minimums.  Compliance  with  DoD  directives  is  assured  through  certification  and 
accreditation . 

There  is  an  opportunity  to  perform  C&A  tasks  including  compliance  with 
DITSCAP  (DoD  Information  Technology  Security  Certification  and  Accreditation 
Process).  The  C&A  students  gained  experience  constructing  and  maintaining  the  SSAA 
(System  Security  Authorization  Agreement)  which  is  the  primary  documentation 
demonstrating  how  the  network  meet  all  DoD  requirements.  Learning  took  place 
interconnecting  equipment,  testing  operation  and  configuring  the  various  physical 
properties  of  the  network.  Exercise  participants  gained  knowledge  of  implementing  and 
maintaining  network  services  like  ETP,  DNS,  Web,  etc. 

Experience  and  learning  took  place  by  hardening  and  testing  the  systems 
according  to  the  security  plan  adopted.  Data  collection  techniques  to  capture  and 
preserve  exercise  activities  was  useful.  The  forensics  students  also  gained  experience 
analyzing  the  forensic  data  gathered.  Einally,  students  gained  experience  monitoring  the 
operation  of  a  functioning  network. 


C.  SPECIFIC  LEARNING  OBJECTIVES  RELATED  TO  THE 

RECONFIGURABLE  CYBER-EXERCISE  LABORATORY 

Teaching  of  computer  security  occurs  on  many  levels,  see  Figure  7.  It  is 
instructive  as  it  clearly  shows  the  layers  of  education  in  the  realm  of  security.  The  NPS 
RCEL  is  intended  for  use  at  a  postgraduate  school,  but  there  are  equally  practical 
applications  at  the  commercial  training  level  as  well.  The  learning  objectives  in  this 
section  can  be  adapted  to  coursework  at  any  level.  With  large  aspects  of  information 
assurance  at  the  applied  level  (as  is  the  case  for  all  of  computer  science),  practical  aspects 
of  the  field  are  worthy  of  classroom  time. 
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The  educational  outcomes  (of  security  education)  must  address 
security  needs  consistent  with  the  security  challenges  encountered  by 
graduates  in  their  professional  roles.  Irvine  [IRV05]. 

The  learning  objectives  presented  allow  easy  creation  of  evaluation  tools  (tests)  to 
assess  student  achievement.  A  pedagogical  note,  the  learning  objectives  follow  Bloom’s 
taxonomy  [BLO02,  BLOOl]  for  categorizing  learning  and  learning  domains.  Bloom’s 
Taxonomy  is  the  generally  accepted  structure  of  learning  modalities 


Figure  7,  Learning  Continuum(from  NIST  SP800-16  Appendix  A) 


32 


Table  4,  Listing  of  The  Naval  Postgraduate  School  lA  Courses 


ID 

Description 

C-1 

CS-3600  -  lA,  Intro  to  Computer  Security 

C-2 

CS-3670  -  lA,  Management  of  Secure  Systems 

C-3 

CS-3675  -  Network  Vulnerability  Assessment 

C-4 

CS-3690  -  Network  Security 

C-5 

CS-4600  -  Secure  Systems 

C-6 

CS-4603  -  Database  Security 

C-1 

CS-4605  -  Security  Policies,  Models  and  Eormal  Methods 

C-8 

CS-4614  -  Advanced  Topics  in  Computer  Security 

C-9 

CS-4677  -  Computer  Eorensics 

C-10 

CS-4680  &  4685  -  Intro  to  C&A  and  Case  Studies 

The  reader  may  freely  adopt  these  learning  objectives  for  courses  or  training 
performed  at  their  own  RCEL  facility.  Each  learning  objective  is  mapped  to  one  or  more 
NPS  courses  that  was  described  earlier  in  this  document.  The  learning  objectives  are 
further  categorized  into  five  basic  areas;  computer  laboratory  skills,  networking,  analysis, 
security  and  leadership. 

All  of  the  learning  objectives  are  accomplished  in  the  course  of  the  advanced 
exercise  Scenarios  III,  IV,  V  &  VI  discussed  later  in  this  work. 

1,  Computer  Laboratory  Skills 

LO-1 .  After  completing  indoctrination  to  the  RCEL,  the  student  will  be  able  to 
identify  all  RCEL  stations  and  describe  their  functions. 

Naval  Postgraduate  School  Courses:  C-1,  C-2,  C-3,  C-4,  C-8,  C-9,  C-10 

LO-2.  After  a  period  of  discovery  learning,  when  assigned  to  a  RCEL  station,  the 
student  will  be  able  to: 

a.  of  the  RCEL.Describe  the  functional  significance  of  the  station 

b.  Implement  the  function(s)  required  of  the  station  within  the  constraints 

Naval  Postgraduate  School  courses:  C-1,  C-3,  C-4,  C-9 
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LO-3.  The  student  will  learn  the  correet  operation  of  systems  employed  in  the 
RCEL  and  be  able  to  demonstrate  that  ability. 

Naval  Postgraduate  Sehool  eourses:  C-1,  C-2,  C-5,  C-8,  C-10 

LO-4.  After  participation  in  any  phase  of  the  RCEL  implementation  the  student 
will  be  able  to  identify  each  component  of  the  implemented  LAN  and  be 
able  to  relate  that  component  to  corresponding  layers  of  the  ISO  networking 
model. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-9,  C-10 

LO-5.  After  familiarization  with  the  RCEL  network,  the  student  will  be  able  to 
interpret  the  RCEL  network  diagrams  and  verify  the  presence  of  each 
system  component. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-4,  C-5,  C-6,  C-8,  C-10 

LO-6.  After  participating  in  a  RCEL  exercise,  the  student  will  gain  an  increased 
knowledge  of  potential  security  issues.  The  student  will  be  able  to 
demonstrate  this  by  articulating  possible  variations  and  extensions  on  her 
RCEL  experiences. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-1,  C-8,  C-10 

2.  Networks 

LO-7.  After  receiving  introductory  training  in  the  RCEL,  the  student  will  be  able 
to  describe  the  topology  of  the  RCEL  as  implemented. 

Naval  Postgraduate  School  courses:  C-1,  C-4,  C-10 

LO-8.  After  implementing  the  network  specification  for  the  RCEL  the  student  will 
be  able  to  discuss  the  use  of  VLAN  technology  and  the  implications  in 
active  networks. 

Naval  Postgraduate  School  courses:  C-2,  C-3,  C-4,  C-9 

LO-9.  Given  that  the  student  was  assigned  to  the  firewall,  router  or  switch  station 
during  an  exercise,  the  student  will  be  able  to  demonstrate  a  working 
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knowledge  of  the  operating  system  interfaee  for  the  deviee  and  artieulate 
the  configuration  process  for  these  devices 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-10 

LO-10.  After  training  in  the  current  configuration  of  the  RCEL  the  student  will  be 
able  to  articulate  the  scheme  of  IP  addressing  implemented. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-9,  C-10 

LO-1 1 .  After  advanced  training  and  practice  on  actual  machines,  the  student  will  be 
able  to  do  security  related  configuration  operations  on  routers  and  switches. 

Naval  Postgraduate  School  courses:  C-4,  C-10 

LO-1 2.  After  a  complete  exercise  the  student  will  be  able  to  recognize  the 

symptoms  of  a  system  under  attack  or  one  that  has  been  compromised. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-6,  C-9,  C-10 

LO-13.  After  participating  in  a  RCEL  exercise  the  student  will  be  able  to 

interconnect  equipment  using  Ethernet  cabling  and  be  able  to  identity 
appropriate  jacks,  plugs  and  cable  types. 

Naval  Postgraduate  School  courses:  C-1,  C-4 

LO-14.  After  completing  the  analysis  and  design  of  a  RCEL  topology,  the  student 
will  be  able  to  describe  the  AAA(this  is  Cisco  specific,  authentication, 
authorization,  and  accounting)  scheme  and  articulate  how  it  is  implemented. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-6,  C-1,  C-8,  C-9, 
C-10 

LO-15.  After  a  complete  exercise  the  student  will  be  able  to  discuss  and  articulate 
such  networking  concepts  DHCP,  PDC/BDC,  DNS,  VLAN,  etc.,  and  how 
each  is  manifested  in  the  current  configuration. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-4,  C-6,  C-10 
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LO-16.  Before  beginning  work  in  the  RCEL  but  after  some  appropriate  classroom 
training,  the  student  will  demonstrate  an  understanding  of  VPN  technology. 

Naval  Postgraduate  School  courses:  C-1,  C-4 

LO-17.  After  appropriate  instruction  the  student  will  be  able  to  demonstrate  in  the 
RCEL  proficiency  and  correct  analysis  of  the  results  obtained  using 
rudimentary  networking  tools  such  ping,  trace  route,  etc. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4 

LO-18.  The  student  will  be  able  to  correctly  interpret  results  obtained  in  the  RCEL 
when  using  network  tools  such  as  ping,  trace  route,  nslookup,  etc. 

Naval  Postgraduate  School  courses:  C-1,  C-3,  C-4,  C-9 

3.  Security 

LO-19.  Upon  completion  of  a  RCEL  exercise  the  student  will  be  able  to: 

a)  analyze  vulnerability  exploits  used 

b)  discuss  their  effectiveness 

c)  interpolate  how  these  exploits  might  affect  a  “real”  network 

d)  prioritize  the  risks  and  vulnerabilities  of  the  system 

Naval  Postgraduate  School  courses:  C-1,  C-3,  C-4,  C-1,  C-8,  C-10 

LO-20.  At  the  conclusion  of  a  RCEL  exercise  the  student  will  be  able  to  analyze 
and  evaluate  the  security  plan  that  was  implemented  and  recognize  the 
strengths  and  weaknesses  of  that  plan. 

Naval  Postgraduate  School  courses:  C-4,  C-6,  C-10 

LO-21 .  After  appropriate  coursework  in  lA,  the  student  will  be  able  to  detail  the 
security  requirements  for  an  implementation  of  the  RCEL. 

Naval  Postgraduate  School  courses:  C-1,  C-2,  C-3,  C-4,  C-6,  C-9,  C-10 

LO-22.  Given  a  security  plan  for  the  RCEL,  the  student  will  be  able  to  assess  the 
plan  and  take  an  active  role  in  the  implementation  of  the  plan. 
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Naval  Postgraduate  School  courses:  C-4,  C-10 

LO-23.  Upon  completion  of  the  RCEL  design  the  student  will  be  able  to  discuss  the 
defensive  posture  of  the  proposed  network  design. 

Naval  Postgraduate  School  courses:  C-4,  C-10 

LO-24.  Upon  completion  of  the  design  and  implementation  of  the  network  the 
student  will  be  able  to  demonstrate  and  discuss  each  of  the  four  areas  of 
security  present  in  the  RCEL;  confidentiality,  integrity,  authenticity  and 
availability. 

Naval  Postgraduate  School  courses:  C-1,  C-4,  C-10 

4.  Analysis 

LO-25.  After  participating  in  a  RCEL  exercise  the  student  will  be  able  to  recognize 
and  describe  obvious  security  flaws  in  the  network  design. 

Naval  Postgraduate  School  courses:  C-4,  C-8,  C-9,  C-10 

LO-26.  When  the  RCEL  is  used  in  conjunction  with  the  computer  forensics  course, 
the  student  will,  upon  completion  of  an  exercise,  be  able  to  perform  basic 
forensic  analysis  on  compromised  systems. 

Naval  Postgraduate  School  courses:  C-4,  C-9 

LO-27.  The  student  will  be  able  to  discuss  how  to  translate  her  experience  into  real 
network  environments. 

Naval  Postgraduate  School  courses:  C-4,  C-10 

LO-28.  After  implementing  a  RCEL  design  the  student  will  be  able  to  articulate 
how  cryptography  is  used  in  the  network. 

Naval  Postgraduate  School  courses:  C-1,  C-8,  C-9 

5.  Leadership 

LO-29.  After  managing  a  RCEL  station  through  an  exercise  scenario,  the  student 
will  be  able  to  analyze,  test  and  confirm  the  functionality  of  that  station. 

Naval  Postgraduate  School  courses:  C-2,  C-3,  C-4,  C-1,  C-9,  C-10 
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LO-30.  Upon  completion  of  the  design  phase  of  a  RCEL  exercise  the  student  will 
be  able  to  develop  an  implementation  plan  deseribing  the  aetivities  needed 
to  eomplete  the  implementation. 

Naval  Postgraduate  Sehool  eourses:  C-8,  C-10 

LO-3 1 .  Upon  eompletion  of  the  design  phase  of  a  RCEL  exereise  the  student  will 

be  able  to  demonstrate  that  the  final  design  meets  the  exereise  requirements. 

Naval  Postgraduate  School  courses:  C-10 

LO-32.  Prior  to  initiating  an  exereise,  the  student  will  be  able  to  assess  the  readiness 
of  the  network  and  specifieally  the  stations  to  whieh  they  are  assigned. 

Naval  Postgraduate  Sehool  eourses:  C-4,  C-5,  C-7,  C-8,  C-10 

LO-33.  Upon  eompletion  of  an  exereise  the  student  will  be  able  to  verify  the  utility 
of  pre-existing  network  security  checklists. 

Naval  Postgraduate  Sehool  eourses:  C-4,  C-10 

LO-34.  After  implementation  of  a  RCEL  topology  the  student  will  be  able  to 

diseuss  the  proeess  of  implementation  and  artieulate  mistakes  that  were 
made,  delays  that  were  suffered  and  ways  the  proeess  might  be  improved. 

Naval  Postgraduate  Sehool  eourses:  C-10 

LO-35.  After  familiarization  with  the  RCEL  and  in  eonjunction  with  the  secure 

management  of  systems  elass  the  student  will  be  able  to  assess  the  seeurity 
and  business  eontinuity  posture  of  the  eurrent  topology. 

Naval  Postgraduate  Sehool  eourses:  C-2,  C-10 

LO-3  6.  Upon  eompletion  of  any  phase  of  the  RCEL  lifeeyele  the  student  will  be 
able  to  diseuss  team  leadership  and  artieulate  learning  related  to  team 
management  and  eonduet. 

Naval  Postgraduate  School  courses:  C-10 
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LO-37.  After  completing  a  RCEL  exercise,  the  student  will  be  able  to  read,  interpret 
and  manage  the  implementation  of  a  network  security  plan. 

Naval  Postgraduate  School  courses:  C-10 
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V.  EXAMPLE  CYBER-EXERCISE  SCENARIOS 


The  primary  function  of  the  RCEL  is  to  provide  an  enabling  technology  for  inter¬ 
organization  training  and  cyber  defense  exercises.  In  this  chapter,  six  possible  scenarios 
are  created.  In  designing  each  scenario  and  the  associated  network  topology,  design 
principles  first  codified  by  Saltzer  and  Schroeder  [SALOl]  in  their  1975  paper  on 
computer  protection  are  used.  Those  principles,  quoted  here  from  the  1975  paper,  are  : 

•  Economy  of  Mechanism:  The  protection  mechanism  should  have  a  simple 
and  small  design. 

•  Eail-safe  Defaults:  The  protection  mechanism  should  deny  access  by 
default,  and  grant  access  only  when  explicit  permission  exists. 

•  Complete  Mediation:  The  protection  mechanism  should  check  every 
access  to  every  object. 

•  Open  Design:  The  protection  mechanism  should  not  depend  on  attackers 
being  ignorant  of  its  design  to  succeed.  It  may  however  be  based  on  the 
attacker's  ignorance  of  specific  information  such  as  passwords  or  cipher 
keys. 

•  Separation  of  Privilege:  The  protection  mechanism  should  grant  access 
based  on  more  than  one  piece  of  information. 

•  Eeast  Privilege:  The  protection  mechanism  should  force  every  process  to 
operate  with  the  minimum  privileges  needed  to  perform  its  task. 

•  Eeast  Common  Mechanism:  The  protection  mechanism  should  be  shared 
as  little  as  possible  among  users. 

As  each  scenario  is  developed  and  a  network  designed  and  built,  a  security  plan 
will  need  to  be  developed.  Creating  a  security  plan  is  difficult  and  time  consuming. 
Often,  it  is  best  to  use  a  guide  or  template  and  tailor  it  to  the  specific  needs  of  the  network 
being  protected.  Extensive  research  has  not  turned  up  a  better  general  guide  for  building 
a  security  plan  than  the  template  provided  by  NIST.  In  Appendix  C  the  NIST  template 
for  security  plans  for  both  major  application  and  general  support  systems  is  presented. 

Reconfiguring  the  RCEE  for  alternate  scenarios  involves  a  specific  set  of  tasks.  It 
is  likely  that  changing  scenarios  also  means  changing  equipment,  software,  people  and 
connections.  This  may  entail  additional,  unplanned  activities.  Eor  example,  when  one 
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group  of  students  finishes  a  seenario  exereise,  the  next  group  may  diseover  the  passwords 
to  the  routers  and  switches  are  no  longer  available.  Most  router  and  switch  passwords 
can  be  reset  or  recovered  if  the  operator  is  familiar  with  the  proper  techniques  and  has 
physical  access  to  the  devices.  Resetting  lost  passwords  on  Cisco  routers  [CIS04]  takes 
only  a  few  minutes,  but  involves  being  able  to  cycle  the  power  and  connect  a  terminal  to 
the  device  so  a  configuration  register  can  be  reset. 

Another  issue  is  upgrades  to  operating  systems  and  applications.  Doing  upgrades 
between  exercises  is  ideal.  When  an  exercise  is  in  progress  and  the  network  completely 
isolated  upgrades  are  far  more  difficult.  A  related  issue  is  licensing.  Before  deploying  a 
new  configuration  the  area  manager  must  be  sensitive  to  any  licensing  issues. 

Of  course  the  most  serious  and  critical  issues  relate  to  network  security.  It  is 
imperative  that  all  connections  are  checked.  Verily  that  the  RCEL  is  not  accidentally  or 
covertly  connected  to  the  internet. 

Each  scenario  will  include  a  design,  a  set  of  activities,  and  an  appropriate  network 
configuration.  Eor  each  exercise,  chronological  lists  of  activities  are  provided.  Each 
activity  has  a  list  of  the  appropriate  references  and  an  additional  reference  to  the 
appropriate  learning  objectives  defined  in  chapter  IV.  To  assist  the  reader,  the  E.O.s  are 
further  designated  G,  N,  S,  A  or  E  (General  Skills,  Networking  Skills,  Security,  Analysis 
or  Eeadership,  respectively)  according  to  the  category  in  which  they  are  found.  Eor 
example,  IG,  is  learning  objective  1,  General  Skills.  Since  the  E.O.s  are  themselves 
cross-referenced  to  NFS  courses,  it  is  now  possible  to  trace  an  activity  in  the  RCEE  to  a 
learning  objective,  a  useful  reference,  and  an  appropriate  class.  There  is,  of  course,  a 
great  deal  of  overlap. 

A.  SCENARIO  I  -  LOCAL  ONLY 

1.  The  Design 

In  this  scenario  no  outside  organization  is  involved.  The  VPN  is  inactive  and  the 
RCEL  is  effectively  air-gapped  form  any  Internetworking  connectivity. 
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RCEL  Scenario  I 
Local  Only 


Figure  8,  Scenario  I  Configuration 

Figure  8,  depicts  a  simple  scenario.  When  the  RCEL  is  operated  in  this  way,  the 
connection  to  the  border  router  (and  VPN)  is  disconnected.  An  effective  way  to 
configure  the  network  may  be  using  VLAN  technology.  Here  the  central  switch,  the 
Cisco  4224,  ‘becomes’  the  “internet,”  providing  routing  and  interconnectivity  between 
the  networks. 


Each  of  the  areas,  attacker  and  defender,  are  configured  as  VLANS.  Configuring 
VLANs  on  the  Cisco  router  is  relatively  easy.  In  Figure  9,  the  concept  of  two  VLANs 
connected  to  a  single  switching  element  is  shown.  In  Scenario  I,  we  disregard  the 
connection  to  the  router  which  has  been  disabled  or  turned  off.  A  router  interface  can  be 
disabled  with  the  lOS  command;  Router(config-if)#  shutdown. 
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Port  in  multi-VLAN  mode 

Figure  9.  VLAN  conceptual  diagram  from  the  Cisco  Online  Documentation 

(CDROM)[CIS01] 

Figure  9  shows  three  eomputers  on  each  VLAN,  but  there  could  be  as  few 
as  one,  or  as  many  as  desired,  constrained  only  by  the  maximum  number  of  hosts 
that  the  switch  can  manage. 

To  create  a  Vlan,  use  the  10  S  command;  “set  Vlan  Vlan-num  Vlan- 
name.”  Thus,  the  command:  set  Vlan  77  defender,  would  create  the  Vlan  with 
number  77  and  the  name  “defender.”  Once  the  VLANs  are  created  and  properly 
configured,  (See  Cisco  Online  Documentation  for  all  Cisco  references  and 
suggested  configurations)  the  switch’s  currently  running  configuration  file  will 
contain  an  entry  similar  to: 
interface  Vlan  77 

ip  address  10.1.100.1  255.255.255.0 
ip  access-group  101  in 
ip  access-group  102  out 
interface  Vlan  42 

ip  address  10.1.200.1  255.255.255.0 
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ip  access-group  102  in 
ip  access-group  101  out 

Note  in  the  listings  above,  the  lines  that  refer  to  IP  aceess-groups.  These  lines 
refer  to  aeeess  lists,  speoifieally  aeeess  lists  101  and  102  whieh  provide  layer  3  and/or  4 
filtering  at  the  switeh.  The  exact  content  of  sueh  lists  would  be  based  on  the  speeific 
network  and  would  be  ereated  at  the  time  the  VLAN  is  eonfigured.  The  applied  aeeess 
lists  eontrol  the  type  of  paekets  permitted  or  bloeked  at  the  VLAN  interfaee  (either  in¬ 
bound  or  out-bound)  by  seleeting  paekets  for  fdtering  based  on  souree  or  destination 
address,  port  number,  protoeol,  eonneetion  state  and  paeket  fragmentation.  This 
capability  further  strengthens  the  VLAN  by  providing  isolation  and  proteetion  speeific  to 
the  needs  of  that  network  segment. 

These  eonfiguration  entries  refieet  the  ereation  of  two  VLANs,  77  and  42.  Cisco 
VLAN  numbers  are  restrieted  to  numbers  between  2  to  1001.  Other  numbers  are 
reserved  for  use  by  other  funetionality  of  the  switeh. 

Onee  the  VLANs  exist,  the  switeh’s  physieal  ports,  into  whieh  the  eomputers  are 

eonneeted  with  standard  Cat5  RJ45  terminated  eables,  must  be  assoeiated  with  the 

appropriate  VLAN.  The  eonfiguration  entries  below  refieet  that  physieal  ports  22,  23  and 

24  on  the  switeh  are  assoeiated  with  VLAN  77.  The  line  “switehport  aeeess  vlan  77” 

shows  the  assoeiation.  The  line  “interface  FastEthemet5/22”  identifies  physical  port  22 

on  module  5  that  will  have  one  of  the  eomputers  plugged  into  it.  Eaeh  port  would  have  a 

eonfiguration  seript  similar  to: 

interface  EastEthernet5/22 
no  ip  address 
duplex  auto 
speed  auto 

switehport  access  vlan  77 
snmp  trap  link-status 
no  edp  enable 

In  a  like  manner,  ports  19,  20  and  21  on  module  5  will  be  assoeiated  with  VLAN 
42.  The  switch  needs  little  other  eonfiguration  beyond  the  normal  administrative  tasks. 
IP  address  filters,  ACLs,  ete.,  will  vary  with  eaeh  organization  and  exereise.  The  intent 
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of  this  work;  however,  is  not  to  teach  Cisco  switch  configuration,  but  to  demonstrate  a 
possible  configuration  for  Scenario  I.  A  source  of  information  is  the  Cisco  configuration 
guides  which  can  be  found  at: 

http://www.cisco.com/univercd/cc/td/doc/product/software/iosl20/12cgcr/. 

The  physical  interconnections  allow  the  PCs  to  send  packets  to  the  network  (see 
the  appropriate  documentation  for  the  PC  or  device  in  use)  and  to  the  appropriate 
port/VLAN  of  the  switch. 

Looking  at  the  attacker  LAN,  the  activities  of  the  attacker  will  most  likely  follow 
a  distinct  pattern.  Such  as  that  outlined  by  McClure  [MCCOl]. 

2.  RCEL  Activities  for  Scenario  I 

So,  the  activities  of  this  scenario  for  the  attacker  are: 

1.  Define  the  needs  of  the  attacker  side  of  the  LAN  [MCCOl,  NAT  17, 
MANOl] 

{L.O.s:  6G,  IIN,  14N,  15N,  17N,  18N,  19S,  20S,  21S,  23S,  24S,  25A, 
27A,  28A,  31L,  32L,  34L} 

2.  Connect  the  hardware  [COM02,  CISOl,  DEFOl,  NAT04,  NAT08,  LAROl, 
NAT17,  ROSOl] 

{L.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29L,  30L,  34L} 

3.  Configure  and  test  the  VLAN  on  the  switch  [COM02,  CISOl,  DEFOl, 
NAT04,  NAT08,  LAROl,  NAT17,  ROSOl] 

{L.O.s:  5G,  7N,  8N,  ION,  14N,  15N,  17N,  18N,  22S,  23S,  27A,  30L,  31L 
32L,  33L,  34L,  36L,  37L} 

4.  Configure  and  test  the  workstations  [SANOl,  COM02,  DEPOl,  NAT  16, 
NAT  14,  NAT03,  NAT05,  NAT09,  EITOl,  RUSOl,  FRAOl,  POSOl, 
BER02,  EONOl,  ROSOl,  DAYOl,  KEEOl,  GEROl] 

{E.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37E} 
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5.  Define  the  attaek  goals  and  formulate  an  attaek  plan  [MCCOl,  MANOl] 
{L.O.s:  IG,  4G,  5G,  6G,  9N,  14N,  15-18N,  19-24S,  25-28A,  SOL,  SSL, 
S4-S7L} 

6.  Aequire  the  “haeking”  tools  and  exploits  needed  [MCCOl] 

{L.O.s:  6G,  12N,  14N,  19S,  24S,  25-28A,  S0L,SSL,  S4-S6L} 

7.  Engage  in  the  attaek  following  MeClure’s  9  steps  [MCCOl] 

(L.O.s:  SG,  4G,  6G,  7-18N,  19-24S,  25-28A,  SS-S6L}, 

8.  Disengage  the  attaek[MCC01,  LAROl,  NAT  17,  DAYOl,  KELOl] 

(E.O.s:  12N,  ISN,  17N,  S4E} 

9.  Analyze  the  sueeess/failure  of  the  teehniques  and  tools  employed[DEP02, 
MANOl,  DAYOl] 

(E.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-S7E} 

Eooking  baek  at  the  learning  objeetives,  this  seenario  aeeommodates  all  of  the 
learning  objeetives  listed  in  Chapter  IV,  although  in  a  more  limited  way.  Due  to  the 
limited  seope  and  small  seale  of  this  seenario,  some  E.O.s  are  eovered  in  far  more  depth 
than  others. 

Now  let’s  look  at  the  defender  VEAN.  Major  aetivities  on  this  side  are: 

1.  Define  the  defensive  needs  of  the  network  [SANOl,  DEP02,  ERAOl, 

NAT  17] 

(E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  S2E,  S4E, 
S5E,  S6E,  S7E} 

2.  Write  a  seeurity  plan  [DEPOS,  SANOl,  EEI02,  NAT18,  DEPOl,  NAT16, 

NAT  12,  NAT04,  KENOl,  NAT  17] 

(E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16N,  21-24S,  28A,  32E, 
34E,  35E,  36E,  37E} 

3.  Configure  the  VEAN  on  the  switeh  [COM02,  CISOl,  DEEOl,  NAT04, 

NAT08,  LAROl,  NAT17,  ROSOl] 
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{L.O.s:  5G,  7N,  8N,  ION,  14N,  15N,  17N,  18N,  22S,  23S,  27A,  SOL,  31L 
32L,  SSL,  34L,  36L,  37L} 

4.  Connect  the  hardware  [COM02,  CISOl,  DEFOl,  NAT04,  NAT08,  LAROl, 
NAT17,ROS01] 

{L.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29L,  SOL,  34L} 

5.  Configure,  connect  and  test  the  workstations  including  security  [SANOl, 
COM02,  DEPOl,  NAT  16,  NAT  14,  NATOS,  NATOS,  NAT09,  EITOl, 
RUSOl,  FRAOl,  POSOl,  BER02,  EONOl,  ROSOl,  DAYOfKEEOl, 
GEROl] 

(E.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37E} 

6.  Implement  and  test  the  security  plan  including  incident  response  and 
operational  continuity  [DEP03,  SANOl,  EEI02,  NAT18,  DEPOl,  NAT16, 
NAT13,  NAT  12,  NAT04,  KENOl,  NAT  17,  DAYOl] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16-18N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 


7.  Defend  the  net  [SANOl,  IRVOl,  HIEOl,  BISOl,  MAYOl,  NAT  18, 

COM02,  PFEOl,  NAT15,  NAT  16,  NAT  12,  NATOS,  NAT06,  NAT  10, 
EITOl,  RUSOl,  MCCOl,  FRAOl,  NAT  17,  MANOl,  EONOl,  ROSOl, 
KEEOl] 

{E.O.s:  3-6G,  7-18N,  21-24S,  26A,  28A,  29-37E} 

8.  Disengage  the  exercise  [MCCOl,  EAROl,  NAT  17,  DAYOl,  KEEOl] 
{E.O.s:  12N,  13N,  17N,  34E} 

9.  Analyze  the  success/failure  of  the  security  plan  [FRAOl,  NAT17, 

MANOl] 

{E.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37E} 
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10.  Analyze  (forensically)  any  penetrations  or  eolleeted  evidentiary  data. 

[MCCOl,  FRAOl,  NAT  17,  MANOl] 

{L.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34L,  36L,  37L} 

Seenario  1  is  elosely  akin  to  a  traditional  lab  exereise.  This  network  may  be 
eonfigured  in  a  day,  the  remaining  aspects  of  the  scenario  done  in  a  day  or  over  a  period 
of  a  week  or  more. 

VLANs  allow  this  scenario  to  be  on-going  while  other  activities  are  taking  place 
on  the  switch.  The  Cisco  4224  used  in  the  Naval  Postgraduate  School  RCEL,  is  a  24  port 
switch.  Allotting  6  ports  to  this  scenario  allows  four  separate  Scenario  1  activities  to  take 
place  simultaneously. 

B,  SCENARIO  II  -  LIMITED  INTERACTION  DEFENSE  ONLY 

1,  The  Design 

This  scenario  provides  a  defensive  exercise  configuration.  Configure  the  RCEL 
to  appear  as  a  “normal”  small  organization’s  network.  In  this  exercise,  a  minimal  amount 
of  equipment  is  set  up.  The  RCEL  network  is  hardened  according  to  a  pre-existing 
security  plan  [DEPOl,  NAT15,  NAT16,  NAT12,  NATIO,  RUSOl].  But  it  is  not  too  well 
hardened,  however,  since  we  actually  want  the  attacker  to  succeed.  Successful  attacks 
enable  defenders  to  watch  and  record  the  attack  and  the  progression  of  penetration  and 
compromise.  A  great  deal  of  experiential  learning  comes  from  being  the  victim  of  an 
attack  [BlSOl,  MAYOl,  DALOl]  (in  a  controlled  environment). 

An  agreement  is  made  between  the  defending  RCEE  (blue  team)  and  an  external 
organization  that  will  act  as  the  attacker  (red  team).  This  may  be  another  school,  another 
department,  the  local  hacker’s  club,  or  perhaps  someone  as  able  and  sophisticated  as  the 
NS  A  or  CIA.  The  external  organization  then  attacks  the  RCEE  network  and  tries  to  gain 
access,  acquire  information  (e.g.,  “capture  the  flag”),  or  disrupt  operation.  This  may 
involve  the  use  of  malware,  back  doors,  denial  of  service,  interception  or  any  other  attack 
technique.  The  limitations  of  the  attack  will  be  set  in  advance  by  agreement  between  the 
defending  side  administrator  and  the  attacker  organization. 
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In  this  scenario,  the  VPN  eonneets  to  the  attaeker  and  serves  as  the  aceess 
gateway  for  the  network.  The  first  router  is  loeated  behind  a  hub  (see  Figure  10  below) 
allowing  for  an  Intrusion  Detection  System  (IDS)  station  to  electronieally  monitor  all 
network  traffic.  The  attacker  is  forbidden  from  attacking  the  data  colleetion  laptop  (if 
detected)  but  the  IDS  is  fair  game.  The  data  eollection  laptop  is  used  by  an  instruetor  or 
manager  to  monitor  network  activities  or  record  raw  traffic. 

The  Scenario  II  eonfiguration  of  the  RCEL  includes  a  router,  a  firewall,  a  switch, 
an  application  server,  a  web  server  and  a  syslog  server.  Note,  there  is  no  DMZ  and  no 
mail  server.  The  applieation  server  may  be  running  any  application  appropriate  to  the 
exercise  or  agreed  upon  by  the  exercise  participants.  Of  course,  the  partieipants  may  add 
features  or  servers  as  neeessary  to  meet  speeific  requirements. 

When  deploying  an  IDS  [CIS03],  the  specific  implementation  must  be  tuned  for 
maximum  effeetiveness  and  to  reduee  false  positives  eaused  by  legitimate  traffie.  In 
Figure  10,  the  IDS  is  configured  as  a  Network  Intrusion  Detection  System  (NIDS)  versus 
a  Host-based  Intrusion  System  (HIDS).  When  a  threat  is  detected  the  IDS  provided 
passive  notification  to  the  administrator  or  other  agent  per  the  speeified  eonfiguration. 
The  choice  of  response  is  dependent  upon  the  goal  of  the  network  seeurity  plan.  A  NIDS 
that  only  reeords  and  quietly  alerts  ean  be  thought  of  as  a  “silent  alarm.” 

Configuring  a  NIDS  requires  eareful  eonsideration  and  planning.  In  this  exercise, 
we  are  only  interested  in  detection.  That  is,  it  will  be  more  important  to  allow  some 
attaek  traffic  in  than  to  automatically  “shun”  or  filter  any  hosts  detected  as  the  origin  of 
the  attack.  This  may  be  true  in  some  operational  networks  as  well. 
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RCEL  Scenario  // 


Figure  10,  Scenario  II  -  Defense  Only 

The  Cisco  Fix  firewall,  along  with  the  router  filters  form  the  primary  perimeter 
defense  of  the  network.  This  exercise  assumes  an  attacker  will  attempt  penetration, 
however,  a  reasonable  but  soft  perimeter  defense  should  be  in  place  initially  to  provide 
educational  strength  and  completeness  to  the  exercise.  If  the  attacker  fails  to  penetrate 
the  perimeter  after  some  previously  negotiated  timeframe,  the  perimeter  defense  will  be 
reduced  further  or  removed  to  allow  penetration. 
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2,  Network  Design  Elements 

The  most  critical  aspect  of  Scenario  II  (and  also  Scenarios  III,  IV,  V  and  VI) 
network  is  the  use  of  the  VPN  to  connect  to  the  external  organization.  VPNs  use  several 
technologies  including  PPTP  (Point  to  Point  Tunneling  Protocol),  L2TP  (Layer  Two 
Tunneling  Protocol),  or  even  SSL  (Secure  Socket  Layer)  and  SSH  (Secure  Shell).  Each 
technology  has  pros  and  cons.  Today’s  more  robust  VPN  appliances  and  software,  like 
the  Cisco  Pix-506  used  in  the  NPS  RCEL,  support  IPSec. 

Of  all  the  VPN  technologies  available,  IPSec  is  the  technology  of  choice  for  the 
support  of  RCEE  exercises  wherein  the  opposing  networks  are  connected  across  a  shared, 
public  network.  The  reason  for  this  is  twofold.  Eirst,  IPSec  is  employed  at  the  network 
layer;  thus  every  application  that  participants  may  want  to  involve  in  any  particular 
exercise  scenario  can  be  encapsulated  in  the  encryption  tunnel  as  the  application  payload 
(OSI  layer  7)  is  passed  down  to  the  IPSec  (OSI  layer  3)  processing  module.  Second, 
when  employed  in  tunnel  mode  on  a  gateway  machine  that  serves  as  the  only  link 
between  the  RCEE  network  and  the  external  public  network,  IPSec  will  leave  all  of  the 
original  RCEE  machines’  IP  information  intact,  and  simply  encapsulate  the  traffic  in  a 
new  IP  header.  Such  usage  of  IPSec  in  tunnel  mode  provides  both  packet  encryption  and 
network  address  translation  (NAT)  for  the  private  IP  space  that  is  likely  being  used  in  the 
RCEE. 


IPSec  [KENOI,  VPNOI]  technology  as  described  in  RECs  2401,  2406,  2407, 
2408,  2409,  2547,  and  3193  allows  for  the  establishment  of  an  encrypted  “tunnel”  or 
connection  between  hosts.  REC-2401  defines  IPSec  as: 

IPsec  provides  security  services  at  the  IP  layer  by  enabling  a 
system  to  select  required  security  protocols,  determine  the  algorithm(s)  to 
use  for  the  service(s),  and  put  in  place  any  cryptographic  keys  required  to 
provide  the  requested  services.  IPsec  can  be  used  to  protect  one  or  more 
"paths"  between  a  pair  of  hosts,  between  a  pair  of  security  gateways,  or 
between  a  security  gateway  and  a  host.  (The  term  "security  gateway"  is 
used  throughout  the  IPsec  documents  to  refer  to  an  intermediate  system 
that  implements  IPSec  protocols.  Eor  example,  a  router  or  a  firewall 
implementing  IPsec  is  a  security  gateway.) 
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Note  that  anyone  attempting  to  set  up  a  VPN  must  familiarize  themselves  with  all 
pertinent  RFCs  and  the  doeumentation  provided  by  the  manufacturer  of  the  VPN 
products  in  use. 

An  excellent  reference  for  VPN  information  is  the  VPNC  (VPN  Consortium, 
http://www.vpnc.org).  The  VPNC  defines  three  types  of  VPN  technologies[VPN01]; 
Secure  VPN,  Trusted  VPN,  and  Hybrid  VPN.  The  RCEL  must  use  a  secure  VPN 
technology.  Secure  VPN  technologies  include  IPsec  with  encryption  in  either  tunnel  or 
transport  mode  or  IPsec  inside  layer  2  tunneling  protocol  (L2TP  as  described  in  RFC- 
3193).  The  exact  manner  in  which  the  VPN  is  established  depends  entirely  on  the 
software  or  hardware  used.  Some  VPN  systems  have  very  nice  GUI  interfaces  that  allow 
the  administrator  to  point  and  click  all  the  settings  necessary.  On  the  other  end  of  the 
spectrum  are  the  command  line  systems  requiring  a  thorough  knowledge  of  the  product 
and  VPN  technology  to  correctly  configure. 

In  the  RCEL,  the  VPN  station  is  critical  and  must  be  assigned  to  people  who  are 
interested,  knowledgeable  (or  want  to  become  so)  and  can  be  trusted  to  respect  the 
seriousness  and  importance  of  this  duty. 

In  the  network  diagram  shown  in  Figure  10,  a  second  hub  is  located  between  the 
firewall  and  the  switch.  This  is  considered  “invisible”  to  the  network  and  is  used  only  to 
permit  sniffing,  monitoring  and  other  vulnerability  assessment  and  exercise  specific 
activities. 

Within  the  network,  tools  like  TripWire  can  be  deployed.  Tripwire  (an  open 
source  solution)  monitors  changes  to  files  residing  on  Linux  systems  (the  commercially 
available  version  works  on  Unix  and  Windows).  The  program  detects  changes  in  key 
attributes  of  files  that  should  not  change,  including  binary  signature,  size,  etc. 
Commercial  versions  are  available. 

Nessus  is  a  publicly  available  tool  that  monitors  and  checks  for  security 
vulnerabilities  on  a  network.  More  information  can  be  found  at  http://www.nessus.org. 
It  is  a  good  idea  to  put  a  sniffer  in  place  as  well.  A  good  sniffing  product  that  is  freely 
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available  is  Ethereal  (http://www.ethereal.eom  ).  This  tool  lets  the  user  see  incoming 
packets  in  real  time  and  dissect  them  into  their  component  parts  for  easy  reading. 

There  is  significant  debate  in  the  lA  community  about  the  value  of  IDS  and  the 
role  it  should  play  in  overall  security.  It  is  not  within  the  scope  of  this  work  to  solve  this 
debate,  only  to  make  the  reader  aware.  IDS  can  be  simplistic  (a  sniffer)  or  more 
sophisticated  as  in  the  Cisco  IDS  4250  Appliance  Sensor.  The  Cisco  marketing  literature 
claims  the  IDS-4250  “raises  the  performance  bar  for  high-throughput  gigabit  protection 
in  a  performance-upgradeable  IDS  chassis.”  The  importance  of  the  IDS  and  sniffer  to  the 
RCEL  is  student  awareness  and  familiarity. 

In  Eigure  1 1,  a  capture  of  a  small  part  of  a  session  is  shown.  The  highlighted  line 
in  the  top  area  selects  a  particular  packet.  In  the  middle  area,  the  packet’s  structure  is 
broken  out  and  in  the  lower  segment  the  hex  is  highlighted  that  relates  to  the  particular 
protocol  selected  in  the  center  frame.  With  this  tool,  users  quickly  see  what  is  coming 
into  the  network  and  what  ports  and  protocols  are  in  use  or  requested. 
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Figure  11,  Ethereal  Capture 


3,  RCEL  Activities  for  Scenario  II 

The  activities  associated  with  this  configuration  are  similar  to  those  in  Scenario  I 
for  the  defender  side  with  some  additions. 


1.  Define  the  needs  and  scope  of  the  network  lAW  the  planned  exercise 
[IRV03,  HILOl,  LANOl,  BISOl,  MAYOl,  42,  MCCOl,  MANOl, 
HOFOl] 

{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 

2.  Write  a  security  plan  [DEP03,  SANOl,  LEI02,  NAT18,  DEPOl, 
NAT  16,  NAT  12,  NAT04,  KENOl,  NAT  17] 
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3. 


{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16N,  21-24S,  28A, 
32L,  34L,  35L,  36L,  37L} 

Connect  the  hardware  (without  connecting  the  VPN  to  the  internet  or 
the  router)  [COM02,  CISOl,  DEFOl,  NAT12,  NAT04,  NAT08, 
LAROl,  NAT  17,  ROSOl,  LEIOl] 

4.  {E.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29E,  30E, 

34E} 

5 .  Configure  the  switch  as  needed  [CISO 1 ,  LARO 1 ,  LONO 1  ] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

6.  Configure  and  test  the  workstations  including  security  per  the  security 
plan  [SANOl,  COM02,  DEPOl,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT09,  ElTOl,  RUSOl,  FRAOl,  POSOl,  BER02,  EONOl,  ROSOl, 
DAY01,KEE01,  GEROl] 

{E.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37E} 

7.  Implement  and  test  the  remainder  of  the  security  plan  including 
incident  response  and  operational  continuity  [SANOl,  NAT13,  NAT  17, 
DAYOl] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16-18N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37L} 

8.  Implement  and  test  the  vulnerability  assessment  and  IDS  stations 
[NAT06] 

{E.O.s:  2G,  4G,  6G,  12N,  14N,  20S,  23S,  24S,  28A,  29E,  34E,  37E} 

9.  Configure  the  VPN  according  to  the  security  plan  and  the  requirements 
of  the  local  network  administrator  [CISOl,  KENOl,  EAROl] 
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10. 


{L.O.s:  IG,  4G,  5G,  7N,  9N,  ION,  IIN,  14-18N,  23S,  24S,  27A,  28A, 
29-34L} 

Test  the  VPN  with  the  attaeking  organization  without  the  RCEL  router 
eonneeted  [CISOl,  KENOl,  EAROl] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E} 

11.  Connect  the  RCEE  router  when  the  exercise  is  ready  to  begin  [NAT12, 
EEEOl] 

{E.O.s:  2G,  6G,  9N,  ION,  13N,  15-18N,  23S,  24S,  29E,  31E,  32E, 
36E} 

12.  Test  the  security  of  the  VPN  [CISOl,  KENOl,  EAROl,  NAT17] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E,  37E} 

13.  Conduct  the  scheduled  exercise  [SANOl,  IRVOl,  HlEOl,  BlSOl, 
MAYOl,  NAT18,  COM02,  PEEOl,  NAT15,  NAT16,  NAT12,  NAT03, 
NAT06,  NAT  10,  ElTOl,  RUSOl,  MCCOl,  ERAOl,  NAT  17,  MANOl, 
EON01,ROS01,KEE01] 

{E.O.s:  ALE} 

14.  Collect  data  during  the  exercise  [MANOl] 

{E.O.s:  3G,  4G,  5G,  9-12N,  14N,  15-18N,  19-24S,  29L,  32L,  35L} 

15.  Disconnect  the  router  and  VPN  when  the  exercise  is  concluded[ClS01, 
KENOl,  EAROl] 

{E.O.s:  8N,  12N,  13N,  17N,  18N,  19S,  23S,  25A,  27A,  33L,  34L, 
36L} 

16.  Analyze  the  success/failure  of  the  security  plan  [ERAOl,  NAT17, 
MANOl] 
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17. 


{L.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37L} 

Analyze  (forensically)  any  successful  attacks.  [MCCOl,  FRAOl, 
NAT  17,  MANOl] 

{L.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34L,  36L,  37L} 

In  Scenario  11,  all  learning  objectives  for  the  RCEL  are  available  to  instructors 
and  students  except  those  specifically  related  to  attack  techniques.  This  scenario  is  an 
excellent  way  to  start  a  RCEL  and  to  safely  demonstrate  the  virtues  of  this  type  of 
education  with  minimal  risk  of  some  unfortunate  incident  taking  place.  This  scenario  can 
be  exciting,  interesting  and  challenging.  If  the  attacker  is  very  sophisticated,  the  scenario 
is  enhanced. 

This  exercise  must  provide  dynamic  latitude  in  defensive  implementations  as  it  is 
actually  desirable  that  the  attacker  penetrate  the  defended  system  at  some  point  during  the 
exercise  so  the  students  can  gain  the  experience.  Thus,  if  the  defense  is  so  well 
implemented  the  attackers  cannot  penetrate,  the  defenders  should  soften  it  as  the  exercise 
progresses  until  the  it  is  ultimately  penetrated. 

C.  SCENARIO  III  -  LIMITED  INTERACTION  ATTACK  ONLY 

1,  The  Design 

In  the  opposite  of  Scenario  II,  students  assume  the  role  of  attacker  in  Scenario  III. 
Students  learn  a  great  deal  about  defending  a  network  when  they  understand  how  attacks 
are  mounted  and  carried  out.  Training  students  to  conduct  attacks  prepares  them  for 
performing  vulnerability  analysis  is  beneficial  for  organizations  charged  with  such  tasks. 
In  Eigure  12  we  see  an  attack  configuration.  Just  as  a  hacker  or  group  of  hackers  is  not 
seriously  concerned  with  the  victim  attacking  in  response,  this  configuration  allows  the 
red  team  (attackers)  maximum  freedom  and  minimum  impedance  from  security 
measures.  Note,  there  is  no  firewall,  no  IDS,  no  VLANs,  no  authentication  and  so  on. 

To  attempt  this  configuration  in  a  normal  lab  is  very  difficult  because  the  local 
network’s  security  and  restrictions  inhibit  many  attacks  and  the  use  of  malware.  . 

Attackers  should  formulate  an  attack  plan  [MCCOl]  and  go  about  gathering  tools 
to  carry  out  that  plan.  Some  attack  methods  will  be  novel,  but  most  will  come  from 
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existing  sources  such  as  “hacker”  web  sites.  One  such  site,  “The  Cult  of  the  Dead  Cow” 
(http ;//www. cultdeadcow.com)  is  quite  useful.  Caution  must  be  exercised  when  visiting 
these  sites  to  prevent  introducing  malware  into  the  research  machine. 

RCEL  Scenario  III 


Figure  12,  Scenario  III  -  Attack  Configuration 


More  reputable  web  sites  for  collecting  tools  include  http;//www.insecure.org, 
http://www.blackhat.com,  http://wwwl.corest.com,  http://www.sans.org, 

http://icat.nist.gov,  http://www.hacker-tools.com  and  many  more. 

Primary  among  the  tools  needed  is  Nmap.  Nmap  can  be  freely  downloaded  from 
insecure.org.  There  is  a  command  line  version  and  a  GUI  version.  This  tool  is  used  to 
map  a  network’s  machines  and  open  ports.  The  documentation  for  Nmap  states,  "''Nmap 
is  designed  to  allow  system  administrators  and  curious  individuals  to  scan  large  networks 
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to  determine  whieh  hosts  are  up  and  what  services  they  are  offering.” 
(http;//www.insecure.org/nmap/data/nmap_manpage.html).  Red  Team  members  are 
“curious  individuals.” 


Figure  13,  Nmap  Scan  Results 


Figure  13  shows  a  sample  scan  of  a  single  computer.  Nmap  can  also  be  used  to 
scan  a  range  of  IP  addresses.  This  tool  is  very  adaptable,  allowing  stealth  pings  and 
various  types  of  scan  techniques.  SuperScan  is  another  useful  network-mapping  tool  and 
can  be  found  at  http://www.foundstone.com. 

Another  required  tool  is  a  password  cracker.  LOphtCrack  (pronounced,  “loft 
crack”)  from  @Stake  is  a  very  good  tool  for  this  purpose.  The  tool  can  be  downloaded 
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but  a  license  is  required.  An  equally  effective  freeware  produet  is  “John  the  ripper.”  The 
home  page  for  this  produet  is  http://www.openwall.com/john.  The  opening  statement  on 
that  page  describes  the  product  thusly: 

John  the  Ripper  is  a  fast  password  cracker,  eurrently  available  for 
many  flavors  of  Unix  (11  are  officially  supported,  not  counting  different 
arehitectures),  DOS,  Wm32,  BeOS,  and  OpenVMS.  Its  primary  purpose 
is  to  detect  weak  Unix  passwords.  Besides  several  erypt(3)  password  hash 
types  most  commonly  found  on  various  Unix  flavors,  supported  out  of  the 
box  are  Kerberos  AFS  and  Windows  NT/2000/XP  LM  hashes,  plus 
several  more  with  eontributed  patches. 

Perhaps  the  next  most  useful  tool  is  Netcat.  Netcat  can  be  found  at 
http://netoat.sourceforge.net.  It  is  described  there  as: 

Netoat  is  a  featured  networking  utility  which  reads  and  writes  data 
across  network  connections,  using  the  TCP/IP  protocol.  It  is  designed  to 
be  a  reliable  "back-end"  tool  that  oan  be  used  direotly  or  easily  driven  by 
other  programs  and  soripts.  At  the  same  time,  it  is  a  feature-rioh  network 
debugging  and  exploration  tool,  since  it  can  create  almost  any  kind  of 
connection  you  would  need  and  has  several  interesting  built-in 

eapabilities. 

One  of  the  “interesting”  eapabilities  Netcat  has  is  the  ability  to  send  data  aeross 
the  net  to  a  host  and  port  specified.  Onee  a  maehine  is  penetrated,  among  the  first  tasks 
the  haeker  does  is  put  Netcat  on  the  vietim  maehine.  It  can  be  named  anything,  of  eourse. 
A  wily  haeker  might  eall  it  Excell.exe  or  Wm32Filter.exe.  This  naming  obscurity  will 
probably  fool  most  users  who  would  not  be  looking  for  programs  of  this  type.  If  the 
program  were  stored  in  an  alternate  data  stream  [MANOl],  it  would  be  eompletely 
invisible  to  the  user/owner  of  the  victim  box. 

A  very  comprehensive  list  of  tools  can  be  found  at 

http://www.hackmgexposed.com/tools/tools.html.  This  list  has  been  compiled  by  Stuart 
McClure  and  others  at  Foundstone,  Inc. 

In  addition  to  the  tools  of  penetration  and  compromise,  the  attaekers  may  want  to 
employ  malware  of  some  sort.  “Back  Orifice”  is  an  easy  tool  to  loeate,  install  and  use. 
“Rootkits”  like  “Adore”  or  “knark”  and  the  many  variations  thereof,  are  readily  available 
for  use  when  attaeking  Finux  or  Unix  systems.  RootKits  typically  use  the  FKM 
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(Loadable  Kernel  Module)  eapability  of  Unix  to  load  and  install  additional  funetionality 
in  a  running  kernel.  RootKits  allow  the  attaeker  to  add,  ehange  or  delete  utility  programs. 
They  often  have  stealth  eapability  to  hide  their  presenee.  Frequently,  RootKits  modify 
benign  utilities  like  chmod  or  ps  inserting  funetionality  desired  by  the  attaeker. 

There  are  thousands  of  other  attaek  tools,  so  the  attaek  plan  should  researeh  the 
most  useful  and  effeetive  (and  removable)  for  the  exereise.  For  ideas,  exereise 
partieipants  should  refer  to  the  NIST  ICAT  (the  aeronym  no  longer  has  speeifie 
definition)  database  for  a  eomplete  deseription  of  all  known  exploits,  viruses,  Trojans, 
worms  and  so  on. 

In  addition  to  the  aforementioned  tools,  a  suite  of  tools  from 
http://www.sysinternals.oom  is  useful,  well  written  and  easily  installed.  Of  this  group, 
the  Psexeo  tool  is  espeoially  useful.  The  deseription  provided  by  the  vendor  says,  “The 
Pstools  suite  inoludes  oommand-line  utilities  for  listing  the  prooesses  running  on  looal  or 
remote  oomputers,  running  prooesses  remotely,  rebooting  oomputers,  dumping  event 
logs,  and  more.”  Psexeo  allows  the  attaeker  to  exeoute  programs  on  the  viotim  maohine 
with  the  permission  of  the  ourrent  user.  Another  tool  from  this  suite  is  Pspasswd. 
Pspasswd  lets  the  attaeker  ehange  an  aooount  password  on  a  looal  or  remote  system.  The 
attaeker  oan  oreate  batoh  files  to  run  Pspasswd  on  oomputers  they  have  penetrated  and 
perform  a  mass  ehange  of  the  administrator  or  user  passwords. 

2.  RCEL  Activities  for  Scenario  III 

1.  Define  the  needs  and  soope  of  the  network  [IRV03,  HILOl,  LANOl, 
BISOl,  MAYOl,  42,  MCCOl,  MANOl] 

{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 

2.  Develop  and  write  the  attaek  plan  [MCCOl,  MANOl] 

{L.O.s:  3G,  4G,  6G,  8N-11N,  14-18N,  21-24S,  21-28A,  32-37L} 

3.  Colleot  attaek  tools  and  exploits  based  on  the  attaek  plan  [MCCOl] 
(L.O.s:  4G,  19S,  20S,  22S,  23S,  24S,  26A,  37L} 
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4. 


Connect  the  hardware  (without  connecting  the  VPN  to  the  internet  or 
the  router)  [NAT  12,  LEIOl] 

{L.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29L,  30L, 
34L} 

5 .  Configure  the  router  and  switch  as  needed  [CISO 1 ,  LARO 1 ,  LONG  1  ] 

{L.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37L} 

6.  Configure  and  test  the  workstations  including  minimal  security  and 
including  tools  specified  in  the  attack  plan  [SANOl,  COM02,  DEPOl, 
NAT  16,  NAT  14,  NAT03,  NAT05,  NAT09,  LlTOl,  RUSOl,  FRAOl, 
POSOl,  BER02,  LONOl,  ROSOl,  DAYOl,  KELOl,  GEROl] 

(L.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37L} 

7.  Configure  the  VPN  according  to  the  security  plan  and  the  requirements 
of  the  local  network  administrator  [ClSOl,  KENOl,  LAROl] 

(L.O.s:  IG,  4G,  5G,  7N,  9N,  ION,  IIN,  14-18N,  23S,  24S,  27A,  28A, 
29-34L} 

8.  Test  the  VPN  with  the  victim  organization  without  the  RCEL  router 
connected  [KENOl,  LAROl] 

{L.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29L,  30L,  32L,  34L,  35L} 

9.  Connect  the  RCEL  router  when  the  exercise  is  ready  to  begin 

(L.O.s:  2G,  6G,  9N,  ION,  13N,  15-18N,  23S,  24S,  29L,  31L,  32L, 
36L} 

10.  Test  the  security  of  the  VPN  [KEN 0 1  ] 

(L.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29L,  30L,  32L,  34L,  35L,  37L} 
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11.  Conduct  the  scheduled  exercise  [SANOl,  IRVOl,  HlLOl,  BlSOl, 
MAYOl,  NAT18,  COM02,  PFLOl,  NAT15,  NAT16,  NAT12,  NATOS, 
NAT06,  NAT  10,  LlTOl,  RUSOl,  MCCOl,  FRAOl,  NAT  17,  MANOl, 
LON01,ROS01,KEL01] 

{L.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37L} 

12.  Collect  data  during  the  exercise  [MANOl] 

{L.O.s:  3G,  4G,  5G,  9-12N,  14N,  15-18N,  19-24S,  29L,  32L,  35L} 

13.  Disconnect  the  router  and  VPN  when  the  exercise  is  concluded  [ClSOl, 
KEN01,LAR01] 

{L.O.s:  8N,  12N,  13N,  17N,  18N,  19S,  23S,  25A,  27A,  SSL,  34L,  36L} 

14.  Analyze  the  success/failure  of  the  attack  plan  [MCCOl,  MANOl] 

{L.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37L} 

15.  Analyze  all  attack  results  [MANOl] 

{L.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34L,  36L,  37L  } 

Note,  if  the  attack  strategy  includes  any  self-replicating  malware,  great  caution 
must  be  taken  to  prevent  infection  and  spread  among  Scenario  111  host  machines  and 
inadvertent  infection  of  other  systems  in  the  ROLL  or  elsewhere.  This  type  of  activity 
highlights  the  importance  of  the  VPN  and  air-gapped  lab  configuration  to  protect  other 
resources.  That  having  been  said,  this  lab  configuration  and  exercise  scenario  is  ideal  for 
testing  and  evaluating  the  behavior  of  newly  observed  exploits  and  malware. 

The  learning  objectives  achieved  in  this  scenario  lean  more  to  the  attack  side. 
There  are  still  a  lot  of  activities  in  setting  up  networks  and  VPNs  but  the  sophistication  of 
the  security  plan  and  contingency/continuity  planning  are  eliminated. 

D,  SCENARIO  IV  -  JOINT  TEACHING  EXERCISE 

1.  The  Design 

In  this  exercise,  two  academic/training  organizations  agree  on  a  set  of  activities 
conducted  between  respective  RCELs.  This  scenario  relies  on  the  flexibility  of  the 
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RCEL.  There  is  no  specific  network  configuration  of  the  RCEL  for  this  scenario,  rather 
there  are  general  guidelines  that  can  be  followed  to  create  a  successful  inter-organization 
exercise. 

A  negotiated  exercise  is  designed  to  address  a  particular  need  at  a  particular  time. 
The  participants  design  the  RCEE  to  meet  a  mutually  identified  and  specific  training 
requirement.  An  example  is  training  a  group  of  programmers  to  manage  a  network 
remotely.  Another  example  is  providing  lab  functionality  remotely  to  a  small  or  poorly 
equipped  organization  for  security  training. 

Referring  to  Eigure  4  and  Eigure  5,  it  is  possible  to  interpolate  implementations  of 
the  RCEE  for  the  specific  exercises  being  planned.  Most  implementations  will  use 
VEANS  to  isolate  network  activity.  The  ACEs  written  for  the  router  and  switch  are 
based  on  the  amount  of  interaction  agreed  upon  by  the  exercise  participants. 

In  this  scenario,  a  larger  portion  of  effort  will  be  in  the  analysis  and  design 
phases.  There  are  many  good  resources  to  help  with  design  of  a  secure  network.  One 
very  useful  and  quick  read  is  the  NetScreen  Whitepaper:  Principles  of  Secure  Network 
Design  [NETOl]  available  from  http://www.netscreen.com.  NetScreen  is  a  security- 
focused  manufacturer  of  network  products  and  services.  Three  of  their  guiding  principles 
are;  “security  is  a  process”,  “effective  security  is  Security-in-Depth”  and  “if  you  don’t 
know  what  you  are  protecting  and  why,  you  can’t  protect  anything.”  The  paper  also 
covers  seven  steps  to  a  more  secure  network  design. 

1 .  Audit  -  Determine  what  is  important  and  why. 

2.  Partition  -  Separate  the  important  from  the  unimportant. 

3.  Eix  -  Make  your  default-configured  systems  more  secure. 

4.  Monitor  -  Add  monitoring  and  logging  systems  to  round  out  your  security. 

5 .  Protect  -  Make  a  plan,  and  a  contact  sheet  for  when  attacks  happen. 

6.  Check  -  Do  a  dry  run  -  and  attack  your  own  network. 

7.  Update  -  Keep  current,  and  re-evaluate  your  design  as  things  change 

With  a  document  such  as  this,  students  have  a  good  starting  point  for  their  work. 
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To  provide  added  reliability,  automatic  failover  of  the  routers  may  be  desirable. 
If  Cisco  routers  are  used,  as  in  the  NPS  RCEL,  “hot  standby  routing  protocol”  (HSRP)  is 
the  proprietary  Cisco  protocol  provided.  In  Scenarios  IV,  V  and  VI  the  network  routers 
may  be  configured  in  an  HSRP  configuration,  as  seen  in  the  Figure  14  [CIS05].  In  this 
configuration,  the  network  requires  two  routers  and  more  set-up  time.  A  virtual  router  is 
created  and  traffic  is  routed  to  that  virtual  machine.  If  Router  A  fails,  there  is  no 
disruption  of  traffic  as  Router  B  automatically  continues  routing  traffic. 


Figure  14,  HSRP  network  configuration  [CIS05],  from 

http://www,cisco,com/univercd/cc/td/doc/cisintwk/ics/cs009.htm 

2.  RCEL  Activities  for  Scenario  IV 

1.  Determine  the  purpose  of  the  exercise  [SANOl,  IRVOl,  HILOl,  HIGOl, 
BISOl,  BIS03,  MAYOl,  PFLOl,  NAT  16,  NAT  13,  NATOl,  BFO02, 
CHIOl] 

{F.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32F, 
34F,  35F,  36F,  37F} 

2.  Jointly  define  the  scope  and  restrictions  of  the  exercise 

{F.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32F, 
34F,  35F,  36F,  37F} 

3.  Generate  MOU  or  MO  A  as  required 
(F.O.s:  34-37F} 
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4.  Define  the  needs  and  seope  of  the  network  [IRV03,  HILOl,  LANOl, 
BISOl,  MAYOl,  42,  MCCOl,  MANOl,  HOFOl] 

{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 

5.  Design  the  network  eonfiguration  [SANOl,  HILOl,  BISOl,  MAYOl, 
NAT16,  NAT12,  NAT04,  NAT05,  NAT08,  MCCOl,  NAT17,  ELEOl, 
MOCOl,  POSOl,  EONOl,  GEROl,  EEIOl,  NETOl] 

{E.O.s:  ALE} 

6.  Write  a  seeurity  plan  [DEP03,  SANOl,  EEI02,  NAT18,  DEPOl, 
NAT  16,  NAT  12,  NAT04,  KENOl,  NAT  17] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E  } 

7.  Conneet  the  hardware  (without  eonneeting  the  VPN  to  the  internet  or 
the  router)  [NAT  12,  EEEOl] 

{E.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29E,  30E, 
34E} 

8.  Configure  router(s)  as  needed  [SANOl,  EEI02,  COM02,  CISOl, 
DEPOl,  DEPOl,  NAT06,  NAT  10,  KENOl,  EAROl,  NAT  17,  MOCOl, 
POSOl,  BER02,  EONOl,  ROSOl,  NETOl] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

9.  Configure  the  switeh  as  needed  ineluding  VEANs  [COM02,  CISOl, 
DEPOl,  NAT04,  NAT08,  LAROl,  NAT  17,  ROSOl] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

10.  Configure  and  test  the  workstations  including  security  per  the  security 
plan  [SANOl,  COM02,  DEPOl,  NAT  16,  NAT  14,  NAT03,  NAT05, 
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NAT09,  LITOl,  RUSOl,  FRAOl,  POSOl,  BER02,  LONOl,  ROSOl, 
DAY01,KEL01,  GEROl] 

{E.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37E} 

IE  Implement  and  test  the  remainder  of  the  seeurity  plan  including 

incident  response  and  operational  continuity  [SANOl,  NAT18, 
COM02,  DEP02,  DEPOl,  NAT15,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT06,  RUSOl,  NAT  17,  NETOl] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16-18N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 

12.  Implement  and  test  the  data  collection  stations  as  needed  [NAT  15, 
MANOl] 

{E.O.s:  1-6G,  7-1  IN,  13-18N,  20S,  22S,  25A,  26A,  30-32E,  35E,  37E} 

13.  Configure  the  VPN  according  to  the  security  plan  and  the  requirements 
of  the  local  network  administrator  [DEPOl,  NAT  10,  KENOl,  NAT  17] 

{E.O.s:  IG,  4G,  5G,  7N,  9N,  ION,  IIN,  14-18N,  23S,  24S,  27A,  28A, 
29-34E} 

14.  Test  the  VPN  with  the  other  exercise  organization(s)  without  the  RCEE 
router  connected  [KENOl] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E} 

15.  Connect  the  RCEE  router  when  the  exercise  is  ready  to  begin 

{E.O.s:  2G,  6G,  9N,  ION,  13N,  15-18N,  23S,  24S,  29E,  31E,  32E, 
36E} 

16.  Test  the  security  of  the  VPN  [NATIO,  KENOl,  NAT17] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E,  37E} 
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17.  Conduct  the  scheduled  exercise  [IRVOl,  1RV03,  HILOl,  13,  14,  15,  16, 
NAT  13,  BLO02,  BLOOl,  SVIOI,  CHlOl] 

{L.O.s:  ALL} 

18.  Collect  data  during  the  exercise  [NAT15,  MANOl] 

{L.O.s:  3G,  4G,  5G,  9-12N,  14N,  15-18N,  19-24S,  29L,  32L,  35L} 

19.  Disconnect  the  router  and  VPN  when  the  exercise  is  concluded[ClS01, 
KEN01,LAR01] 

{L.O.s:  8N,  12N,  13N,  17N,  18N,  19S,  23S,  25A,  27A,  33L,  34L,  36L} 

20.  Analyze  the  success/failure  of  the  security  plan  [NAT08,  MANOl, 
DAYOl] 

{L.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37L} 

2 1 .  Perform  post-exercise  forensics  as  needed  [MANO 1  ] 

{L.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34L,  36L,  37L} 

22.  Debrief  the  exercise  with  both  parties  [SANOl,  NAT16,  NAT14, 
NAT  12,  NAT04,  NAT05,  NATOl] 

{L.O.s:  4G,  6G,  8N,  ION,  12-15N,  19S,  20S,  24S,  25-27A,  29-3 IL, 
33L,  36L,  37L} 

23.  Document  at  needed  [DEP02] 

{E.O.s:  AEE} 

E,  SCENARIO  V  -  EXTERNAL  NETWORK  VULNERABILITY 
ASSESSMENT 

1,  The  Design 

The  RCEL  may  also  be  used  by  an  organization  as  an  active  vulnerability 
assessment  (VA)  mechanism.  Eor  example,  the  XYZ  organization  has  just  implemented 
a  new  network  and  has  requested  an  assessment  to  see  if  it  can  be  readily  penetrated 
before  allowing  it  to  go  “live.”  XYZ  configures  a  VPN  connection  to  the  RCEL  and  the 
network  vulnerability  assessment  class  (or  assigned  professionals),  systematically  attempt 
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penetration  and  enumeration  of  XYZ’s  network.  The  findings  may  be  used  for  student 
assessment  and  helping  XYZ  determine  their  level  of  vulnerability. 

Before  the  exereise  is  undertaken,  a  MOU/MOA  should  be  negotiated  and  signed 
between  the  host  RCEL  and  assessment  target  organizations.  In  this  exercise,  the  local 
RCEL  becomes,  in  effect,  a  contractor  to  the  assessment  target  organization.  Services 
provided  depend  on  the  specific  need  of  the  assessment  target  organization  but  must  fall 
within  the  capability  of  the  host  RCEE  and  the  administrative  organization,  e.g.,  NFS. 

Services  most  likely  to  be  requested  and  most  easily  supported  include  “red  team” 
activities,  training,  or  other  specific  remote  assessment  functions.  In  the  discussion  of 
this  configuration  a  remote  vulnerability  assessment  is  assumed.  NIST  Special 
Publication  800-42  [NATH]  is  an  excellent  guide  for  vulnerability  assessment.  The 
document  provides  a  good  list  of  VA  activities  and  tools  a  host  RCEE  might  use. 
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RCEL  Scenario  V 


Figure  15,  Scenario  V  -  Vulnerability  Assessment 

Figure  15  shows  a  possible  configuration  for  the  VA  Scenario.  In  this 
configuration,  the  security  stations  are  restored  and  the  workstations  are  dedicated  to  the 
task  of  evaluation.  Note  in  Figure  15  the  data  collection  station  which  represents  any  of  a 
set  of  equipment  (for  example,  a  logic  analyzer  or  sniffer)  or  applications  (for  example, 
forensic  data  collection  applications,  packet  capture  analysis  and  display,  ...)  that  might 
be  used  in  the  assessment  process.  In  this  scenario  the  RCEL  network  System 
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Administrator  will  want  a  standard  compliment  of  network  support  firnotions 
implemented  [DEP02],  e.g.,  PDC,  syslog,  ghost,  DNS,  ete.  [  ^ 


Probing  and  testing  an  external  network  is  an  intentionally  intrusive 
procedure[NATll]  and  may  follow  a  pattern  similar  to  that  of  Scenario  III 
(attacking/hacking  an  external  network).  Major  differences  between  Scenario  III  and 
Scenario  V  are  intent  (supportive  versus  malicious),  probing  with  consent  of  the  owners 
(activity  step  3  below)  of  the  network  being  evaluated,  application  of  scientific  method 
and  the  need  for  careful  doeumentation  including  time  spent,  tester’s  name, 
vulnerabilities  found,  methodologies  used,  ete. 

2,  RCEL  Activities  for  Scenario  V 

1.  Determine  the  purpose  of  the  exereise  [SANOl,  IRVOl,  HILOl,  HIGOl, 


BISOl,  BIS03,  MAYOl,  PFLOl,  NAT16,  NAT13,  NATOl,  BLO02, 
CHIOl] 

{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 


2.  Jointly  define  the  scope  and  restrietions  of  the  exercise  [DEP03, 
DEP02,NAT17] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34E,  35L,  36L,  37E} 

3.  Generate  MOU  or  MOA  or  other  legal  agreements  as  required 


{E.O.s:  34-37E} 

4.  Define  the  scope  of  the  network  and  identify  data  collection 
requirements  [IRV03,  HILOl,  LANOl,  BISOl,  MAYOl,  NAT15,  42, 
MCC01,MAN01,HOF01] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 

5.  Define  a  management  plan  to  document  time  and  costs 
{E.O.s:  30-37L} 
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6.  Begin  documenting  all  management  requested  information,  i.e.,  costs, 
time,  contacts,  signatures,  etc 

{L.O.s:  27A,  35-37L} 

7.  Design  the  network  configuration  [SANO 1 ,  HILO  1 ,  BISO 1 ,  MAY 0 1 , 
NAT16,  NAT12,  NAT04,  NAT05,  NAT08,  MCCOl,  NAT17,  ELEOl, 
MOCOl,  POSOl,  EONOl,  GEROl,  EEIOl,  NETOl] 

{E.O.s:  AEE} 

8.  Write  a  security  plan  for  properly  defending  the  host  network  [DEP03, 
SANOl,  EEI02,  NAT18,  DEPOl,  NAT16,  NAT12,  NAT04,  KENOl, 
NAT  17] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 

9.  Get  signed  authorization  to  proceed  from  appropriate 
command/management  levels  [DEP02] 

{E.O.s:  27A,  35-37E} 

10.  Connect  the  hardware  (without  connecting  the  VPN  to  the  internet  or 
the  router)  [NAT  12,  EEEOl] 

{E.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29E,  30E, 
34E} 

1 1 .  Configure  router(s)  and  test  as  needed  [SANO  1 ,  EEI02,  COM02, 

CISOl,  DEPOl,  DEPOl,  NAT06,  NAT  10,  KENOl,  LAROl,  NAT  17, 
MOCOl,  POSOl,  BER02,  EONOl,  ROSOl,  NETOl,  CIS03] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

12.  Configure  the  switch  as  needed  including  VEANS  [COM02,  CISOl, 
DEPOl,  NAT04,  NAT08,  EAROl,  NAT  17,  ROSOl,  CIS03] 
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{L.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37L} 

13.  Configure  and  test  the  workstations  including  security  per  the  security 
plan  [SANOl,  COM02,  DEPOl,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT09,  LITOl,  RUSOl,  FRAOl,  POSOl,  BER02,  EONOl,  ROSOl, 
DAY01,KEE01,  GEROl] 

{E.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37E} 

14.  Configure  and  test  all  data  collection  devices  [NAT15,  MANOl] 

{E.O.s:  1-6G,  7-1  IN,  13-18N,  20S,  22S,  25A,  26A,  30-32E,  35E,  37E} 

15.  Implement  and  test  the  remainder  of  the  security  plan  including 
incident  response  and  operational  continuity  [SANOl,  NAT18, 
COM02,  DEP02,  DEPOl,  NAT15,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT06,  RUSOl,  NAT  17,  NETOl] 

(E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16-18N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 

16.  Configure  the  VPN  according  to  the  security  plan  and  the  requirements 
of  the  local  network  administrator  [DEFOl,  NAT  10,  KENOl,  NAT  17] 

(E.O.s:  IG,  4G,  5G,  7N,  9N,  ION,  IIN,  14-18N,  23S,  24S,  27A,  28A, 
29-34E} 

17.  Test  the  VPN  with  the  requesting  organization  without  the  RCEE 
router  connected  [KENOl] 

(E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E} 

18.  Confirm  the  foreign  network  is  isolated  per  the  evaluation  agreement 
(get  a  signature  on  this) 

{E.O.s:  35E,  36E} 
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19. 


Connect  the  RCEL  router  when  the  exercise  is  ready  to  begin 
{L.O.s:  2G,  6G,  9N,  ION,  13N,  15-18N,  23S,  24S,  29L,  31L,  32L,  36} 

20.  Test  the  security  of  the  VPN  [NATIO,  KENOl,  NAT17] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E,  37E} 

21.  Conduct  the  scheduled  evaluation  [DEP03,  SANOl,  COMOl,  MAROl, 
NAT18,  COM02,  DEP02,  DEPOl,  NAT16,  NAT14,  NAT12,  NAT03, 
NATOS,  NAT08,  NAT09,  NATIO,  EITOl,  NAT17,  DAYOl,  NETOl, 
CIS03] 

{E.O.s:  AEE} 

22.  Collect  data  during  the  exercise  [NAT15,  MCCOl,  MANOl] 

(E.O.s:  3G,  4G,  5G,  9-12N,  14N,  15-18N,  19-24S,  29E,  32E,  35E  } 

23.  Disconnect  the  router  and  VPN  when  the  exercise  is  concluded 
(E.O.s:  8N,  12N,  13N,  17N,  18N,  19S,  23S,  25A,  27A,  33E,  34E,  36E} 

24.  Document  exercise  activities  and  data  collected 
{E.O.s:  AEE} 

25.  Analyze  the  success/failure  of  the  security  plan  [NAT08,  MANOl, 
DAYOl] 

(E.O.s:  6G,  7-18N,  19-24S,  25-28A,  29-37E} 

26.  Perform  post-exercise  forensics  as  needed  [MCCOl] 

(E.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34E,  36E,  37E} 

27.  Debrief  the  exercise  with  both  parties  [SANOl,  NAT16,  NAT14, 
NAT  12,  NAT04,  NAT05,  NATOl] 

(E.O.s:  4G,  6G,  8N,  ION,  12-15N,  19S,  20S,  24S,  25-27A,  29-3 IE, 
33E,  36E,  37E} 


75 


28.  Document  as  needed  [DEP03,  DEP02] 

{E.O.s:  ALE} 

29.  Prepare  and  send  a  professional  report 
{E.O.s:  27A} 

30.  Bill  as  indieated 
{E.O.s:  27A} 

F,  SCENARIO  VI  -  AGRESSIVE  CYBER  EXERCISE 

1.  The  Design 

This  seenario  is  intended  to  be  a  very  aggressive  eyber  exereise.  Basieally,  the 
RCEL  joins  a  VPN-based  internet  with  other  participating  organizations  and  acts  as  both 
the  aggressor  and  defender. 

This  type  of  exereise  is  very  realistie.  Any  network  deployed  today  with  outside 
aeeess  will  be  attaeked  very  quickly.  Col.  Hunt(USA)  from  JTE-CNO  (Joint  Task  Eorce- 
Computer  Network  Operations)  stated  in  an  interview  at  NPS  on  Mareh  9,  2004  that  DoD 
networks  are,  on  average,  attaeked  within  23  minutes  of  going  live.  There  are  even  eases 
of  networks  being  eompromised  while  being  eonfigured.  Again,  refer  to  Eigure  4  and 
Eigure  5,  to  give  the  student  a  realistic  experience  managing  eomplex  networks  the  NPS 
RCEL  uses  subnets  and  makes  extensive  use  of  VLANs.  In  Eigure  16  [LAROl],  we  see  a 
typieal  network  eonfiguration  ineorporating  a  perimeter  router,  a  DMZ,  a  proteeted  DMZ 
and  a  firewall. 
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Perimeter  router 


Corporate  user  networks 


Figure  16,  Typical  Network  Design  with  Perimeter  Security [LAROl], 

The  organizations  involved  in  this  seenario  will  need  to  agree  on  terms  and 
eonditions  of  the  exereise  and  a  mutually  agreed  upon  start  and  stop  time.  This  seenario 
is  very  similar  to  the  “eapture  the  flag”  type  of  exereise  eondueted  annually  at  DEFCON 
(a  haeker’s  eonferenee,  http://www.defeon.org/). 

The  network  will  likely  need  a  full  range  of  serviees:  primary  and  baekup  domain 
eontrollers  for  windows-based  authentieation;  DHCP  server;  mail  server;  syslog  server; 
and  DNS  server.  Supportive  applieations  sueh  as  FTP,  MySQF(or  other  database 
applieation),  Web  Services,  and  specific  application  servers  may  also  be  desired.  This 
exercise  provides  a  good  testing  ground  for  recently  developed  applications. 

In  the  all  out  war  exercise,  the  network  can  be  configured  with  multiple 
redundancy/fail-over  safeguards  applied.  These  may  include  multiple  HSRP  routers, 
load-balanced  routers  and  switches  and  similar  advanced  techniques.  However,  this 
redundancy  adds  a  lot  of  complex  network  administration  and  few  students  will  be  up  to 
the  challenge  without  previous  training.  The  increased  complexity  adds  little  to  the 
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educational  process.  The  only  valid  reason  to  add  such  extraordinary  precautions  would 
be  if  the  students  were  experienced  network  administrators  or  if  a  particular  network 
configuration  was  being  tested  or  evaluated. 

2.  RCEL  Activities  for  Scenario  VI 

1.  Determine  the  purpose  of  the  exercise  [SANOl,  IRVOl,  HILOl,  HIGOl, 
BISOl,  BIS03,  MAYOl,  PFLOl,  NAT  16,  NAT  13,  NATOl,  BLO02, 
CHIOl] 

{L.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32L, 
34L,  35L,  36L,  37L} 

2.  Jointly  define  the  scope  and  restrictions  of  the  exercise  [DEP03, 
DEP02,NAT17] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32E, 
34E,  35E,  36E,  37E} 

3.  Generate  MOEl  or  MOA  or  other  legal  agreements  as  required 
{E.O.s:  34-37E} 

4.  Define  the  scope  of  the  network  and  identify  data  collection 
requirements  [IRV03,  HIEOl,  LANOl,  BISOl,  MAYOl,  NAT15,  42, 
MCC01,MAN01,HOE01] 

(E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  21-24S,  28A,  32E, 
34E,  35E,  36E,  37E} 

5 .  Design  the  network  configuration  [SANO 1 ,  HILO  I ,  BISO I ,  MAY 0 1 , 
NATI6,  NATI2,  NAT04,  NAT05,  NAT08,  MCCOI,  NATI7,  ELEOI, 
MOCOI,  POSOI,  LONOI,  GEROI,  LEIOI,  NETOI,  HOEOI] 

(E.O.s:  ALL} 

6.  Define  network  data  vulnerability  and  risk  [SANOl,  NAT18,  DEP02, 
NAT  15,  NAT  12,  NAT03,  NAT05,  NAT  10,  NAT  17,  HOEOI] 

(L.O.s:  } 
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7. 


Write  a  security  plan  for  properly  defending  the  host  network 
emphasizing  defense  in  depth  [DEP03,  SANOl,  LEI02,  NAT18, 

DEPOl,  NAT  16,  NAT  12,  NAT04,  KENOl,  NAT  17] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 

8.  Write  attack  plans  as  needed  [MCCOl,  MANOl] 

{E.O.s:  3G,  4G,  6G,  8N-11N,  14-18N,  21-24S,  21-28A,  32-37E} 

9.  Get  signed  authorization  to  proceed  from  appropriate 
command/management  levels  [HOEOl] 

{E.O.s:  35E,  37E} 

10.  Connect  the  hardware  (without  connecting  the  VPN  to  the  internet  or 
the  router)  [NAT  12,  EEEOl] 

{E.O.s:  IG,  2G,  4G,  5G,  7N,  ION,  13N,  18N,  23S,  27A,  29E,  30E, 
34E} 

1 1 .  Configure  router(s)  and  test  as  needed  [S ANO 1 ,  EEI02,  COM02, 

CISOl,  DEPOl,  DEPOl,  NAT06,  NAT  10,  KENOl,  LAROl,  NAT  17, 
MOCOl,  POSOl,  BER02,  EONOl,  ROSOl,  NETOl,  CIS03] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

12.  Configure  the  switch  as  needed  including  VEANS  [COM02,  CISOl, 
DEPOl,  NAT04,  NAT08,  EAROl,  NAT  17,  ROSOl,  CIS03] 

{E.O.s:  2G,  4G,  5G,  7N,  8-1  IN,  13-15N,  17N,  18N,  23S,  27A,  29- 
37E} 

13.  Configure  and  test  the  workstations  including  security  per  the  security 
plan  [SANOl,  COM02,  DEPOl,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT09,  EITOl,  RUSOl,  FRAOl,  POSOl,  BER02,  EONOl,  ROSOl, 
DAYOfKEEOl,  GEROl] 
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{L.O.s:  1-6G,  7N,  8N,  ION,  13N,  14N,  15N,  17N,  18N,  20-24S,  25A, 
27A,  29-37L} 

14.  Configure  and  test  all  data  colleetion  systems  [NAT15,  MANOl] 

{L.O.s:  1-6G,  7-1  IN,  13-18N,  20S,  22S,  25A,  26A,  30-32L,  35L,  37L} 

15.  Implement  and  test  the  remainder  of  the  security  plan  including 
incident  response  and  operational  continuity  [SANOl,  NAT18, 
COM02,  DEP02,  DEPOl,  NAT15,  NAT  16,  NAT  14,  NAT03,  NAT05, 
NAT06,  RUSOl,  NAT  17,  NETOl] 

{E.O.s:  IG,  2G,  4-6G,  7N,  8N,  ION,  IIN,  14N,  16-18N,  21-24S,  28A, 
32E,  34E,  35E,  36E,  37E} 

16.  Configure  the  VPN  according  to  the  security  plan  and  the  requirements 
of  the  local  network  administrator  [DEPOl,  NAT  10,  KENOl,  NAT  17] 

{E.O.s:  IG,  4G,  5G,  7N,  9N,  ION,  IIN,  14-18N,  23S,  24S,  27A,  28A, 
29-34E} 

17.  Test  the  VPN  with  the  requesting  organization  without  the  RCEE 
router  connected  [KENOl,  LAROl,  NAT  17] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35L} 

18.  Confirm  the  foreign  network  is  isolated  per  the  exercise  agreement 
(important,  get  a  signature  on  this!)  [HOPOl] 

{E.O.s:  35E,  37E} 

19.  Connect  the  RCEE  router  when  the  exercise  is  ready  to  begin[] 

{E.O.s:  2G,  6G,  9N,  ION,  13N,  15-18N,  23S,  24S,  29E,  31E,  32E,  36} 

20.  Test  the  security  of  the  VPN[] 

{E.O.s:  2G,  4G,  6G„  9N,  ION,  IIN,  16N,  20S,  23S,  25A,  27A,  28A, 
29E,  30E,  32E,  34E,  35E,  37E} 
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2 1 .  Conduct  the  scheduled  exercise[] 

{L.O.s:  ALL} 

22.  Collect  data  during  the  exercise}] 

{L.O.s:  3G,  4G,  5G,  9-12N,  14N,  15-18N,  19-24S,  29L,  32L,  35L} 

23.  Disconnect  the  router  and  VPN  when  the  exercise  is  concluded}] 
{L.O.s:  8N,  12N,  13N,  17N,  18N,  19S,  23S,  25A,  27A,  33L,  34L,  36L} 

24.  Document  exercise  activities  and  data  collected}] 

{L.O.s:  ALL} 

25.  Analyze  the  success/failure  of  the  security  plan  }MCC01,  MANOl] 
{L.O.s:  34-37L} 

26.  Perform  post-exercise  forensics  as  needed  }MCC01,  MANOl] 

{L.O.s:  8N,  9N,  12N,  14N,  19S,  20S,  23S,  24S,  34L,  36L,  37L} 

27.  Debrief  the  exercise  with  both  parties 
{L.O.s:  35L,  37L} 

28.  Document  at  needed 
{L.O.s:  35L} 
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VI.  CONCLUSIONS 


This  thesis  provides  a  useful  laboratory  support  model  for  information  assurance 
education  programs.  The  reader  may  adopt  or  adapt  any  of  the  learning  objectives, 
exercise  scenarios  or  network  topologies  for  use  elsewhere. 

Readers  engaged  in  teaching  information  assurance  may  use  the  learning 
objectives,  exercise  scenarios  and  network  topologies  to  reduce  their  developmental 
workload  and  enhance  the  teaching  of  information  assurance. 

Chapter  II  opens  by  demonstrating  the  need  for  more  lA  education.  The 
connection  between  laboratory  activities  and  learning  theories  is  illustrated.  Building  on 
the  strength  of  both  Dale’s  and  Bloom’s  research  in  learning  and  retention,  the  RCEL 
provides  a  venue  to  support  traditional  lA  courses  or  to  conduct  targeted  training. 

To  provide  a  useful  model  for  learning  objectives,  a  survey  of  critical  information 
assurance  topic  areas  is  presented  and  then  correlated  to  the  information  assurance 
curriculum  of  the  Naval  Postgraduate  School.  NPS  provides  a  model  from  which  to  draw 
courses  as  the  NPS  information  assurance  curriculum  is  quite  comprehensive.  Learning 
objectives  that  support  the  possible  activities  within  the  RCEL  are  developed  next.  This 
model  categorizes  these  learning  objectives  into  five  areas  representing  the  type  of 
learning  processes  and  student  activities  taking  place:  computer  laboratory  skills, 
networks,  security,  analysis  and  leadership.  In  the  process  of  categorizing  the  learning 
objectives,  the  emergence  of  the  leadership  category  was  especially  interesting.  When 
students  work  collectively  or  in  groups  in  challenging,  time  sensitive  settings, 
opportunities  abound  to  strengthen  their  collective  skill  sets  as  officers  and  leaders. 

To  demonstrate  the  utility  and  flexibility  of  the  RCEL  concept,  the  paper  presents 
six  cyber-exercise  scenarios.  The  premise  of  each  scenario  is  that  interaction  with  an 
external  entity  provides  a  high  degree  of  reality  and  spontaneous  experience  during  the 
exercise.  The  second  important  concept  discussed  is  that  using  VPN  technology,  the 
interaction  between  an  RCEL  and  an  external  facility  (hopefully  another  RCEL)  can  be 
safe  even  when  very  powerful  hacking  tools  are  used. 
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Scenario  I  models  a  simple  interaetion  between  loeal  users.  Seenario  II 
established  a  network  with  a  defensive  perimeter  and  demonstrates  defensive  techniques. 
Scenario  III  reverses  the  roles  and  shows  an  attack  posture.  Seenario  IV  allows  two 
teaehing  organizations  to  define  exercise  aetivities  that  satisfy  speeifie  needs.  Seenario  V 
uses  the  RCEL  to  perform  vulnerability  testing.  Seenario  VI  allows  eaeh  partieipating 
RCEL  to  attaek  and  defend  its  network. 

To  strengthen  the  RCEL  model,  each  scenario’s  potential  learning  objectives  are 
shown  and  eross  referenced  to  NFS  information  assuranee  classes.  This  effort  may  prove 
useful  to  emerging  information  assuranee  edueation  and  training  faeilities. 

Exereise  scenarios  provide,  in  a  eompressed  timeframe,  an  opportunity  to 
partieipate  in  every  lifecyele  phase  of  network  security:  analysis,  design,  eonstruction, 
and  operation.  It  is  rare  that  an  individual  has  the  opportunity  to  see  a  network  evolve 
from  idea  to  operation.  This  experienee  ean  be  enlightening,  and  the  RCEL  faeility 
provides  a  safe  and  eontrolled  environment  where  sueeess  is  immediately  reeognized  and 
failure  is  not  eatastrophie. 

While  a  standard  eomputer  lab  provides  some  edueational  benefits,  a  RCEL  has 
the  potential  to  provide  a  great  deal  more  experiential  learning.  The  main  differenee 
between  a  RCEL  and  a  statie  eomputer  lab  is  twofold:  the  RCEL  is  designed  to  be  rapidly 
(even  frequently)  reeonfigured  and  the  opponent  in  any  exereise  is  dynamie  and  real. 

This  paper  has  demonstrated  that  an  effective  RCEL  faeility  ean  be  deployed  with 
minimal  equipment  and  expenditure.  Advaneed  RCEL  eonfigurations  (Seenarios  II  -  VI) 
are  also  demonstrated  providing  a  range  of  possibilities  to  meet  every  information 
assuranee  laboratory  need. 


84 


APPENDIX  -  ACRONYM  DEFINITIONS 


AAA  -  authentication,  authorization,  and  accounting 

ACM  -  Association  for  Computing  Machines 

ASP  -  Active  Server  Pages 

ASP  -  Application  Service  Provider 

BDC  -  Backup  Domain  Controller 

CS  -  Computer  Science 

RCEL  -Reconfigurable  Cyber-Exercise  Eaboratory 

CISR  -  Center  fro  INEOSEC  Studies  and  Research 

DITSCAP  -  DoD  Information  Technology  Security  Certification  and 

Accreditation  Process 

DNS  -  Domain  Name  Service 

DHCP  -  Dynamic  Host  Configuration  Protocol 

ETP  -  Pile  Transfer  Protocol 

HSRP  -  Hot  Standby  Routing  Protocol 

HIDS  -  Host-based  Intrusion  Detection  System 

I A  -  Information  Assurance 

IDS  -  Intrusion  Detection  System 

IKE  -  Internet  Key  Exchange 

IEEE  -  Institute  of  Electrical  and  Electronic  Engineers 
IPSec  -  Internet  Protocol  Security,  refer  to  RPC  2401 
lOS  -  Internetwork  Operating  System  (©Cisco  Systems) 

JTP-CNO  -  Joint  Task  Porce  -  Computer  Network  Operations 

PAN  -  Eocal  Area  Network 

EO  -  Eearning  Objective 

MOA  -  Memorandum  of  Agreement 

MOU  -  Memorandum  of  Understanding 

MOVES  -  Modeling,  Virtual  Environments  and  Simulation 

NIDS  -  Network  Intrusion  Detection  System 
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NIPRNet  -  Non-Secure  Internet  Protocol  Router  Network 
NIST  -  National  Institute  of  Standards  and  Technology 

NSTISSI  -  National  Security  Telecommunications  and  Information  Systems 
Security  Instruction 
NPS  -  Naval  Postgraduate  School 
PDC  -  Primary  Domain  Controller 
PSTN  -  Public  Switched  Telephone  Network 
RIPv2  -  Routing  Information  Protocol  Version  II 
SIPRNet  -  Secret  Internet  Protocol  Router  Network 
SSAA  -  System  Security  Authorization  Agreement 
SSH  -  Secure  Shell 
SSL  -  Secure  Socket  Layer 
TLD  -  Top  level  Domain 
VoIP  -  Voice  over  Internet  Protocol 
VLAN  -  Virtual  Local  Area  Network 
VPN  -  Virtual  Private  Network 
WAP  -  Wireless  Access  Point 
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